https://wiki.owasp.org/api.php?action=feedcontributions&user=Dallendoug&feedformat=atomOWASP - User contributions [en]2024-03-29T08:35:01ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Washington_DC&diff=162012Washington DC2013-10-30T04:15:49Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
= Welcome =<br />
<br />
<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br><br />
<br />
* THIS CHAPTER IS CURRENTLY INACTIVE. WE HOPE TO BRING IT BACK BEFORE THE END OF 2013.<br />
<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
<br />
<br />
= Meetings & Events =<br />
<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br><br><br />
<br />
'''Next Meeting - HAS BEEN CANCELED'''<br />
<br />
The next meeting will be on Thursday, September 27, 2012 from 6:30 PM to 8:30 PM (EDT) at <br />
<br />
'''Location:''' LivingSocial HQ 1445 New York Ave NW Washington, DC (http://goo.gl/maps/PQ1Ad) 2nd Floor, Golf Cart Conference Room<br />
<br />
Please RSVP for the event here: http://owaspdc.eventbrite.com/<br />
<br />
'''Speaker:''' Jan Poczobutt, Director of Enterprise ADC & WAF, Barracuda Networks<br />
<br />
'''Presentation Overview:''' Enterprise data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. Jan Poczobutt, Director of Enterprise ADC & WAF at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.<br />
<br />
= Participation =<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br><br><br />
<br />
= Twitter =<br />
<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter><br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
= News & Recent Meetings =<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br><br />
<br />
'''July 2012 Meeting'''<br />
<br />
<br />
'''Topic''': OWASP Top Ten Tools and Tactics<br />
<br />
'''Abstract''': If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.<br />
<br />
'''Bio''': Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).<br />
<br />
'''8:15-9:15 Speaker''': Kevin Johnson<br />
<br />
'''Topic''': Ninja Assessments: Stealth Security Testing for Organizations<br />
<br />
'''Abstract''': Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.<br />
<br />
'''Bio''': Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.<br />
<br />
'''May 2012 Meeting'''<br />
<br />
'''Speaker''': Rohit Sethi, Vice President, Product Development, SD Elements<br />
<br />
'''Topic''': Is There An End to Testing Ourselves Secure?<br />
<br />
'''Abstract''': Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance.<br />
<br />
This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.<br />
<br />
Points of discussion include:<br />
<br />
· Is static analysis sufficient?<br />
· Developer awareness training<br />
· Threat modeling / architecture analysis<br />
· Secure requirements<br />
· Considerations for procured applications<br />
<br />
'''Bio''': Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.<br />
<br />
Register for the meeting at http://owaspdc.eventbrite.com/<br />
<br />
'''March 2012 Meeting'''<br />
<br />
March 15th at 6:30-7:30pm at LivingSocial's [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] office location on the first floor at the @hungryacademy.<br><br />
<br />
Please RSVP for the event here: http://owaspdc.eventbrite.com/<br />
<br />
'''Speaker''': Alissa Torres<br />
<br />
'''Topic''': Application Footprinting<br />
<br />
'''Abstract''': Application footprinting is a great skill for forensic examiners (and anyone interested in binary research) because it allows you to marry artifacts in the registry/file creation/time/date stamps with specific applications or user initiated events. Eventually, during the course of an investigation, an examiner is going to run into a "new" problem - one that hasn't previously been experienced/researched by others in the field. Application footprinting is a simple method that examines the interaction of a program with the operating system. The process of footprinting will determine if the application was installed on the system being investigated, what trace evidence exists and how that can be mined. This presentation will include a demo of Active Registry Monitor and its use in tracking changes made to the Windows Registry by an open source ssh client.<br />
<br />
'''Bio''': Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.<br />
<br />
'''December 2011 Meeting'''<br />
<br />
'''The December 21st meeting was held at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
<br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages<br />
<br />
* '''Ken Johnson''' and (maybe) '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
::Ken Johnson is a Senior Security Architect for LivingSocial.com responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty<br><br><br />
<br />
:'''Chris Gates'''<br />
<br />
::TBD<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
<br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
<br />
<br />
:'''John Steven'''<br />
<br />
<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br />
<br><br><br />
<br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br />
<br><br><br />
<br />
:'''Krystal Moon'''<br />
<br />
<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
<br />
<br />
:'''Quang Pham'''<br />
<br />
<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br />
<br><br><br />
<br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
<br />
<br />
:::'''Secure Coding'''<br />
<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br />
<br><br />
<br />
<br />
<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br />
<br><br />
<br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
<br />
<br />
:'''Julian Cohen'''<br />
<br />
<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
<br />
<br />
:'''Abstract'''<br />
<br />
<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
<br />
<br><br />
<br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br />
<br><br><br><br><br><br />
<br />
<br />
<br />
'''July 2011 Meeting'''<br />
<br />
<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here]<br />
<br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
<br />
<br />
:'''Jack Mannino'''<br />
<br />
<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
<br />
<br />
:'''Abstract'''<br />
<br />
<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
<br />
<br><br />
<br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br />
<br><br><br><br><br><br />
<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
<br />
<br />
'''Jeff Ennis'''<br />
<br />
<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.<br />
<br />
<br />
<br />
:'''Abstract'''<br />
<br />
<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
<br />
<br />
'''Dan Philpott'''<br />
<br />
<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
<br />
<br />
'''Chuck Willis'''<br />
<br />
<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
<br />
<br />
'''December 2009 Meeting'''<br />
<br />
<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
<br />
* We will be talking about the coming year and upcoming events<br />
<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
<br />
<br />
'''Addition to Agenda'''<br />
<br />
<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
<br />
<br />
'''September 2009 Meeting'''<br />
<br />
<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
<br />
<br />
'''Matthew Flick, Principal'''<br />
<br />
'''FYRM Associates'''<br />
<br />
<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
<br />
<br />
About our speakers:<br />
<br />
<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
<br />
<br />
We'd also like to thank:<br />
<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
<br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
<br />
<br />
This month's agenda:<br />
<br />
<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
<br />
* 7:45 - 8:00 Break<br />
<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
<br />
out to talk to us at the meeting Wednesday. I thought his<br />
<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
<br />
demonstrated some of the great up and coming tools that are available<br />
<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
<br />
<br />
We also took care of some housekeeping stuff:<br />
<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]<br />
<br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
<br />
we had a great turnout and I hope to have even more attendees next<br />
<br />
time. For those who were unable to attend, I hope to see you all at<br />
<br />
our next meeting.<br />
<br />
<br />
<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
<br />
<br />
This month's agenda is as follows:<br />
<br />
<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
<br />
* Round table Discussion of Portugal Summit<br />
<br />
* Open discussion<br />
<br />
<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
<br />
<br />
This month's agenda is as follows:<br />
<br />
<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
<br />
* Open discussion<br />
<br />
<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
= History =<br />
<br />
<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<br />
<br />
<br />
<headertabs /><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<paypal>Washington DC</paypal><br />
<br />
<br><br />
<br />
<br><br />
<br />
September Meeting:<br><br />
<br />
<br><br />
<br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
<br />
[[Category:Washington, DC]]<br />
<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Proactive_risk_mitigation_within_the_Software_Development_Lifecycle_(SDLC)&diff=127562OWASP AppSec DC 2012/Proactive risk mitigation within the Software Development Lifecycle (SDLC)2012-04-07T22:15:27Z<p>Dallendoug: changed speaker name in header to correct one.</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
For the past 5 years, I have worked at two organizations and built out application security programs at each. In this presentation I will share with you what I have learned and what has worked for me while building out an application security program at two separate organizations.<br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Joe White===<br />
[[Image:Owasp_logo_normal.jpg|left]]Joe White has 20+ years technical experience, including 10+ years experience focused on security. Joe has hands-on, real world pen testing experience and has built application security programs at two separate organizations. Joe’s has presented at OWASP conference once before at OWASP NYC (2008) and his presentation was titled “Web Application Security Roadmap”<br />
<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts&diff=126998OWASP AppSec DC 2012/Hacking NETC Applications The Black Arts2012-03-28T02:05:40Z<p>Dallendoug: </p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
This talk will focus on attacking .NET Desktop Applications(EXE/DLL/Live Memory)<br>Both WhiteHat and BlackHat hacking will be shown on common security concerns such as intellectual property protection systems and licensing systems.<br>This presentation will have a New Drop of forensic info on what can be accessed about a .NET application, with basic info targeted at Malware Analysis and Live/Dead System Forensics. <br>Last year I showed how to bend .NET applications and the Runtime, This year I will show how to break the rules. I will break rules like executing ASM and injecting compiled IL (byte code) into signed and protected EXE/DLLs. I will show some Black Arts like making Malware/Key-Gens/Cracks.<br>The tools shown will be available from [[http://digitalbodyguard.com DigitalBodyGuard.com]].<br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Jon McCoy===<br />
[[Image:Jon_McCoy.jpg|left]]Jon McCoy is a .NET Software Engineer that focuses on security and forensics and the founder of [[http://digitalbodyguard.com DigitalBodyGuard.com]]. He has worked on a number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself. He provides consulting to protect .NET applications.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts&diff=126997OWASP AppSec DC 2012/Hacking NETC Applications The Black Arts2012-03-28T01:22:33Z<p>Dallendoug: updated w/ picture, bio and link to website</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
This talk will focus on attacking .NET Desktop Applications(EXE/DLL/Live Memory)<br>Both WhiteHat and BlackHat hacking will be shown on common security concerns such as intellectual property protection systems and licensing systems.<br>This presentation will have a New Drop of forensic info on what can be accessed about a .NET application, with basic info targeted at Malware Analysis and Live/Dead System Forensics. <br>Last year I showed how to bend .NET applications and the Runtime, This year I will show how to break the rules. I will break rules like executing ASM and injecting compiled IL (byte code) into signed and protected EXE/DLLs. I will show some Black Arts like making Malware/Key-Gens/Cracks.<br>This speech will have a second follow-up speech protection systems. Hacking .NET(C#) Applications: Protection Systems<br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Jon McCoy===<br />
[[Image:Jon_McCoy.jpg|left]]Jon McCoy is a .NET Software Engineer that focuses on security and forensics and the founder of [[http://digitalbodyguard.com DigitalBodyGuard.com]]. He has worked on a number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself. He provides consulting to protect .NET applications.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Schedule/4-5-2012&diff=126956OWASP AppSec DC 2012/Schedule/4-5-20122012-03-27T01:47:31Z<p>Dallendoug: updated schedule w/ room numbers</p>
<hr />
<div>{| border=1 <br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5"> '''Plenary Day 2 - 4/5/2012'''</font><br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd |<br />
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Critical Infrastructure<br>Room 201<br />
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Defend&#33;<br>Room 202A<br />
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | On the Go<br>Room 202B<br />
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | SDLC<br>Room 206<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 9:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd rowspan=2 | 9:00 AM - 9:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center rowspan=2 | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Pentesting_Smart_Grid_Web_Apps Pentesting Smart Grid Web Apps]<br><br><br />
Justin Searle<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Friends_dont_let_friends_store_passwords_in_source_code Friends don't let friends store passwords in source code]<br><br><br />
Neil Matatall<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center rowspan=2 | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Smart_Bombs_Mobile_Vulnerability_and_Exploitation Smart Bombs: Mobile Vulnerability and Exploitation]<br><br><br />
Kevin Johnson, John Sawyer and Tom Eston<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=2 | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing Overcoming the Quality vs. Quantity Problem in Software Security Testing]<br><br><br />
Rafal Los<br />
|-<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Web_Application_Defense_with_Bayesian_Attack_Analysis Web Application Defense with Bayesian Attack Analysis]<br><br><br />
Ryan Barnett<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 9:50 AM - 10:00 AM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems Vulnerabilities in Industrial Control Systems]<br><br><br />
ICS-CERT<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Access_Control Access Control]<br><br><br />
Jim Manico<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Software_Security_Goes_Mobile Software Security Goes Mobile]<br><br><br />
Jacob West<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Baking_In_Security_Sweet_Secure_Cupcakes Baking In Security, Sweet, Secure, Cupcakes]<br><br><br />
Ken Johnson and Matt Ahrens<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:50 AM - 11:00 AM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/AMI_Security AMI Security]<br><br><br />
John Sawyer and Don Weber<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/SharePoint_Security_101 SharePoint Security 101]<br><br><br />
Rob Rachwald<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Behind_Enemy_Lines__Practical_Triage_Approaches_to_MobileSecurity_Abroad__2012_Edition Behind Enemy Lines - Practical& Triage Approaches to Mobile Security Abroad - 2012 Edition]<br><br><br />
Justin Morehouse<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Understanding_IAST__More_Context_Better_Analysis Understanding IAST - More Context, Better Analysis]<br><br><br />
Jeff Williams<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 1:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 1:00 PM - 1:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Project_Basecamp_News_from_Camp_4 Project Basecamp: News from Camp 4]<br><br><br />
Reid Wightman<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Enterprise_Security_API_ESAPI_for_C_Plus_Plus Enterprise Security API (ESAPI) for C Plus Plus]<br><br><br />
Dan Amodio<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment Whack-a-Mobile II: Mobile App Pen Testing with the MobiSec Live Environment]<br><br><br />
Kevin Johnson and Tony Delagrange<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Baking_Security_In__How_to_Get_Every_IT_Architect_toBecome_a_Security_Ambassador Baking Security In - How to Get Every IT Architect to Become a Security Ambassador]<br><br><br />
Michele Guel<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 1:50 PM - 2:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:00 PM - 2:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Real_world_backdoors_on_industrial_devices Real world backdoors on industrial devices]<br><br><br />
Ruben Santamarta<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dynamic_DASTWAF_Integration Dynamic DAST/WAF Integration]<br><br><br />
Ryan Barnett<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications An In-Depth Introduction to the Android Permissions Model, and How to Secure Multi-Component Applications]<br><br><br />
Jeff Six<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Teaching_an_Old_Dog_New_Tricks_Securing_Development_withPMD Teaching an Old Dog New Tricks: Securing Development with PMD]<br><br><br />
Joe Hemler<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:50 PM - 3:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:00 PM - 3:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Denial_of_Surface Denial of Surface.]<br><br><br />
Eireann Leverett<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Cloudbased_dWAF_A_Real_World_Deployment_Case_Study Cloud-based dWAF: A Real World Deployment Case Study]<br><br><br />
Alexander Meisel<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Android_in_the_Healthcare_Workplace_A_Case_Study Android in the Healthcare Workplace A Case Study]<br><br>Thomas Richards<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors What can an Acquirer do to prevent developers from make dangerous software errors?]<br><br><br />
Michele Moss and Don Davidson<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:50 PM - 4:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:00 PM - 4:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Securing_Critical_Infrastructure Securing Critical Infrastructure]<br><br><br />
Francis Cianfrocca<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Using_PHPIDS_to_Understand_Attacks_Trends Using PHPIDS to Understand Attacks Trends]<br><br><br />
Salvador Grec<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Mobile_Application_Security__Who_how_and_why Mobile Application Security - Who, how and why]<br><br><br />
Mike Park and Charles Henderson<br />
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Private_information_Protection_in_Cloud_Computing___LawsCompliance_and_Cloud_Security_Misconceptions Private information Protection in Cloud Computing _ Laws, Compliance and Cloud Security Misconceptions]<br><br><br />
Mikhail Utin and Daniil Utin<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 5:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Closing Remarks<br>Room 202A<br />
|}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Schedule/4-4-2012&diff=126955OWASP AppSec DC 2012/Schedule/4-4-20122012-03-27T01:46:03Z<p>Dallendoug: updated schedule w/ room numbers</p>
<hr />
<div>{| border=1 <br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5"> '''Plenary Day 1 - 4/4/2012'''</font><br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd |<br />
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools<br>Room 201<br />
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies<br>Room 202A<br />
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT<br>Room 202B<br />
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate&#33;<br>Room 206<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks<br>Room 202A<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM<br />
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer]<br>Room 202A<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board]<br>Room 202A<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense DOMJacking - Attack, Exploit and Defense]<br><br><br />
Shreeraj Shah<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries The Unfortunate Reality of Insecure Libraries]<br><br><br />
Jeff Williams and Arshan Dabirsiaghi<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2 Python Basics for Web App Pentesters - Part 2]<br><br><br />
Justin Searle<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement Integrating Application Security into your Lifecycle and Procurement]<br><br><br />
Jim Manico<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit Attacking CAPTCHAs for Fun and Profit]<br><br><br />
Gursev Singh Kalra<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Case_Study_How_New_Software_Assurance_Policy_Reduces_Riskand_Costs Case Study: How New Software Assurance Policy Reduces Risk and Costs]<br><br><br />
Rob Roy<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed]<br><br><br />
Joshua Corman<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:00 PM - 2:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts Hacking .NET(C#) Applications: The Black Arts]<br><br><br />
Jon McCoy<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment Security at scale: Web application security in a continuous deployment environment]<br><br><br />
Zane Lackey<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career The "Easy" Button for Your Web Application Security Career]<br><br><br />
Salvador Grec<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF Risk Analysis and Measurement with CWRAF]<br><br><br />
Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:50 PM - 3:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:00 PM - 3:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release OWASP Broken Web Applications (OWASP BWA) 1.0 Release]<br><br><br />
Chuck Willis<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |<br />
[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry Security Is Like An Onion, That's Why It Makes You Cry]<br><br><br />
Michele Chubirka<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw Anatomy of a Logic Flaw]<br><br><br />
Charles Henderson and David Byrne<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:50 PM - 4:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:00 PM - 4:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web New and Improved Hacking Oracle from Web]<br><br><br />
Sumit Siddharth<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/State_of_Web_Security State of Web Security]<br><br><br />
Robert Rowley<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them Old Webshells, New Tricks -- How Persistent Threats have revived an old idea, and how you can detect them.]<br><br><br />
Ryan Kazanciyan<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Fed_Panel Fed Panel]<br><br><br />
TBA<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:50 PM - 5:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 5:00 PM - 5:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS Unraveling some of the Mysteries around DOM-based XSS]<br><br><br />
Dave Wichers<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/2012_Global_Security_Report 2012 Global Security Report]<br><br><br />
Tom Brennan and Nick Percoco<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems Survivable Software for Cyber-Physical Systems]<br><br><br />
Karen Mercedes Goertzel<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 6:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Opportunity sponsored by: [[Image:SPL-LOGO-MED.png|link=https://www.trustwave.com/]]<br />
|}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Schedule/4-4-2012&diff=126932OWASP AppSec DC 2012/Schedule/4-4-20122012-03-26T19:08:26Z<p>Dallendoug: changed out John for Jim Manico</p>
<hr />
<div>{| border=1 <br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5"> '''Plenary Day 1 - 4/4/2012'''</font><br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd |<br />
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools<br />
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies<br />
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT<br />
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate&#33;<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM<br />
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense DOMJacking - Attack, Exploit and Defense]<br><br><br />
Shreeraj Shah<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries The Unfortunate Reality of Insecure Libraries]<br><br><br />
Jeff Williams and Arshan Dabirsiaghi<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2 Python Basics for Web App Pentesters - Part 2]<br><br><br />
Justin Searle<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement Integrating Application Security into your Lifecycle and Procurement]<br><br><br />
Jim Manico<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit Attacking CAPTCHAs for Fun and Profit]<br><br><br />
Gursev Singh Kalra<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Case_Study_How_New_Software_Assurance_Policy_Reduces_Riskand_Costs Case Study: How New Software Assurance Policy Reduces Risk and Costs]<br><br><br />
Rob Roy<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed]<br><br><br />
Joshua Corman<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:00 PM - 2:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts Hacking .NET(C#) Applications: The Black Arts]<br><br><br />
Jon McCoy<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment Security at scale: Web application security in a continuous deployment environment]<br><br><br />
Zane Lackey<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career The "Easy" Button for Your Web Application Security Career]<br><br><br />
Salvador Grec<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF Risk Analysis and Measurement with CWRAF]<br><br><br />
Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:50 PM - 3:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:00 PM - 3:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release OWASP Broken Web Applications (OWASP BWA) 1.0 Release]<br><br><br />
Chuck Willis<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |<br />
[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry Security Is Like An Onion, That's Why It Makes You Cry]<br><br><br />
Michele Chubirka<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw Anatomy of a Logic Flaw]<br><br><br />
Charles Henderson and David Byrne<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:50 PM - 4:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:00 PM - 4:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web New and Improved Hacking Oracle from Web]<br><br><br />
Sumit Siddharth<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/State_of_Web_Security State of Web Security]<br><br><br />
Robert Rowley<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them Old Webshells, New Tricks -- How Persistent Threats have revived an old idea, and how you can detect them.]<br><br><br />
Ryan Kazanciyan<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Fed_Panel Fed Panel]<br><br><br />
TBA<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:50 PM - 5:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 5:00 PM - 5:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS Unraveling some of the Mysteries around DOM-based XSS]<br><br><br />
Dave Wichers<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/2012_Global_Security_Report 2012 Global Security Report]<br><br><br />
Tom Brennan and Nick Percoco<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems Survivable Software for Cyber-Physical Systems]<br><br><br />
Karen Mercedes Goertzel<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 6:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Opportunity sponsored by: [[Image:SPL-LOGO-MED.png|link=https://www.trustwave.com/]]<br />
|}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement&diff=126931OWASP AppSec DC 2012/Integrating Application Security into your Lifecycle andProcurement2012-03-26T19:07:28Z<p>Dallendoug: update Jim Bio & Pic</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
The panel aims to explore how organizations track and improve their coverage of vulnerabilities when they assess the software they build and/or buy. How do your organizations select the most effective tools and techniques to find each kind of vulnerability? What factors aid in choosing whether or not to automate or manually seek out particular vulnerabilities?<br>...finally, how does your organization track the above selection of assessment tools and techniques, attest to review compliance, and track quality vs cost? <br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Jim Manico===<br />
[[Image:AppSecDC12-manico.jpg|left]]Jim Manico is the VP of Security Architecture for WhiteHat Security. Jim is part of the WhiteHat Static Analysis Software Testing (SAST) team, leading the data-driven, Web service portion of the SAST service. He also provides secure coding and developer awareness training for WhiteHat using his 7+ years of experience delivering developer-training courses for SANS, Aspect Security and others.<br />
<br />
Jim brings 15 years of database-driven Web software development and analysis experience to WhiteHat. He has helped deliver Web-centric software systems for Sun Microsystem, Fox Media (MySpace), several Fortune 500's, and major NGO financial institutions. He holds expertise in a variety of areas, includingWeb-based J2EE development, thick-client and applet-based Java applications, hybrid Java, C++ and Flash applications, Web-based PHP applications, rich-media Web applications using advanced Ajax techniques, Python REST Webservice development, and Database technology using Oracle, MySQL and Postgres.<br />
<br />
A host of the OWASP Podcast Series, Jim is the committee chair of the OWASP Connections Committee and is a significant contributor to various OWASP projects.<br />
<br />
Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/State_of_Web_Security&diff=126742OWASP AppSec DC 2012/State of Web Security2012-03-23T02:40:34Z<p>Dallendoug: </p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
I will cover the current state of web based attacks as we see them monitored on our network. In total somwhere around 1 million+ domains are attacked and monitored on our network, so the sample of data provided should be acceptably accurate.<br>The data will be provided in the presentation using statistical data of logged attacks against our network and customer's sites (and can be provided to security researchers in a raw formet). This will provide the audience with a knowledge of how severe a new exploit can become once attackers utilize it, as well as details on what types of attacks are popular with malicious parties.<br>Time allowing, we will discuss a detailed dissection of a handful of common backdoors we see on our network (of course choosing the most unique and interesting backdoors we encounter.) This is not to help the audience on how to design backdoors, but instead provides a basic overview of these attacker's knowledge and intent (why the bad guys do the things they do.)<br><br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Robert Rowley===<br />
[[Image:AppSecDC12-rowley.jpg|left]]Robert Rowley is a security extraordinare at a shared and virtual hosting provider for approximately over one million websites and hundreds of thousands of customers. This unique environment requires providing increased security for an extremely broad range of websites and customers, and provides an ample range of attacks which our team addresses every day, and have compiled this information into the working piece being presented at this conference.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Training/Certified_Secure_Software_Lifecycle_Professional_(CSSLP)_Clinic&diff=126494OWASP AppSec DC 2012/Training/Certified Secure Software Lifecycle Professional (CSSLP) Clinic2012-03-19T04:21:21Z<p>Dallendoug: changed course length to 4 hours.</p>
<hr />
<div>__NOTOC__<br />
{{:OWASP AppSec DC 2012 Header}}<br />
==Description==<br />
'''Date: April 3rd 2012'''<br />
<br />
'''Course Length: 4 Hour''<br />
<br />
Educate yourself in Secure Software Design and Development which are two of the seven domains from the Certified Secure Software Lifecycle Professional (CSSLP) certification. This session will provide an in-depth education of these two tough domains of the CSSLP. We will cover the skills and knowledge needed to design and develop secure code. In the Secure Software Design domain, you will learn the fundamentals of design principles when applied will save costly rework. In the Secure Software Development domain, we will discuss the OWASP Top 10 threats and how to mitigate them effectively.<br />
<br />
<br />
The Certified Secure Software Lifecycle Professional (CSSLP) is an (ISC)2 certification with 7 domains focusing on the topics needed to develop hacker resilient software. CSSLPs are professionals who have validated their competency in incorporating security into each phase of the software lifecycle.<br />
<br />
==Instructor==<br />
E.J. Jones; Boeing<br />
<br />
EJ Jones is a Technical Fellow in Information Security. He is recognized industry wide as an expert in software engineering and has over 20 years of experience in the software development and has developed large scale systems on many diverse platforms and languages. He has created Application Security teams and has hands on experience in every phase of the software security lifecycle and has created comprehensive security programs for software development. <br />
<br />
EJ has also been leading technical teams in evaluating cloud hosting security controls for applications. He teaches all aspects of software development and a certified CSSLP instructor. He was one of the first developers in the nation to receive the GIAC Secure Software Programming certification in Java. EJ is a leading security architect for mobile devices. He has spoken at the RSA Security, IBM/Rational Developers, and Cloud Security Alliance conferences. In his spare time EJ develops iPhone applications.<br />
<br><br><br><br><br><br />
[[Category:AppSec_DC_2012_Training]]<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems&diff=126303OWASP AppSec DC 2012/Vulnerabilities in Industrial Control Systems2012-03-15T15:01:11Z<p>Dallendoug: updated with new bio.</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
In 2011 ICS-CERT experienced a dramatic increase in reported disclosures of vulnerabilities in industrial control system (ICS) products. Security researchers (white, gray, and black hats) across the globe are increasing their research in the ICS product arena and the potential impact to critical infrastructure. Coordinated vulnerability disclosures of control system products are increasing rapidly, but so are the instances of unanticipated or full disclosures.<br />
<br><br />
The once obscure world of ICS security is now a hot topic in the media and around the water cooler. This presentation will discuss the daunting trends in the disclosure of ICS product vulnerabilities, who is disclosing new vulnerabilities, and the coordination process used by ICS-CERT. We will also discuss what concerning trends ICS-CERT is seeing, including recent hacktivist and anarchist group activity.<br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Kevin Hemsley===<br />
[[Image:Owasp_logo_normal.jpg|left]]Kevin Hemsley is the Vulnerability Handling Lead for the US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT). ICS-CERT provides a control system security focus to improve the cyber security posture and assist owners and operators of US critical infrastructure assets. Kevin leads the ICS-CERT Vulnerability Handling team that works with independent security researchers and control system vendors from around the world to identify and mitigate vulnerabilities in control system products. Kevin has more than 20 years experience in cyber security ranging from network security to control system and SCADA security.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Enterprise_Security_API_ESAPI_for_C_Plus_Plus&diff=125875OWASP AppSec DC 2012/Enterprise Security API ESAPI for C Plus Plus2012-03-10T05:33:03Z<p>Dallendoug: </p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]OWASP Enterprise Security API (ESAPI) for C Plus Plus<br>ESAPI is a free, open source, application security control library that makes it easier for programmers to write lower-risk applications. This presentation will give background on the ESAPI project as a whole, and focus on the C++ specific version. The initial ESAPI for C++ release is planned to happen in April 2012 and will be cross-platform, and compiler agnostic.<br>Key points:<br>-ESAPI Project Overview -ESAPI for C Plus Plus -Integrating Security Controls (DEMO) -ESAPI Future (3.0)<br> The ESAPI Project Overview will summarize what an Enterprise Security API is, why it is needed, and how it is meant to be incorporated into an application architecture.<br>Why is building an ESAPI for C++ necessary and relevent to developers? What approach has been taken to building the C++ API, and how does this relate to other ESAPI projects? Lots of thought has been put into the architecture and libraries that are being used in the ESAPI for C++. This presentation will provide details on the project and it's current state, as well as future plans, and how to get involved.<br>Integrating Security Controls will be a short demonstration on how to use the ESAPI for C++ to add security to a vulnerable application.<br>The ESAPI project is continuing to evolve and there are exciting plans for the 3.0 specification. This will include an ESAPI Community, a Pluggable Architecture, and lots of Documentation and Tutorials.<br />
== The Speakers ==<br />
Dan Amodio<br />
<br />
Dan Amodio is a Security Engineer at Aspect Security, where he provides application security services to a variety of clients. His experience spans a wide variety of IT departments to include software development, penetration testing, code review, architecture review, hardware and software technical support, along with active participation in The Open Web Application Security Project (OWASP). Dan has over ten years of programming experience in a variety of languages.<br />
<br />
Outside of work, Dan enjoys spending time with his wife and daughter. He is a longtime musician, and exercises his attention to detail through performing, recording and sound engineering.<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment&diff=125874OWASP AppSec DC 2012/WhackaMobile II Mobile App Pen Testing with the MobiSecLive Environment2012-03-10T04:51:16Z<p>Dallendoug: </p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]In this talk, Kevin and Tony will outline and discuss the variety of testing techniques and tools available for performing mobile application penetration testing. The presentation will include technical details of discovery and exploitation of mobile application vulnerabilities, as well as outlining the use of MobiSec, which is a live environment used for performing mobile penetration testing. This talk will benefit penetration testers, mobile application developers, and mobile administrators who are concerned about their mobile environment, and wanting to learn new and exciting ways to assess the security of their mobile applications.<br />
== The Speakers ==<br />
Kevin Johnson and Tony Delagrange<br />
<br />
Tony DeLaGrange is a Senior Security Analyst with Secure Ideas, bringing over twenty-five years of information technology experience in the healthcare and financial services industries. For over the past decade, Tony has focused on information security within a leading Fortune 50 financial institution, providing the design of security reference architecture, development of information security policies, standards, and baselines, as well as the assessment and testing of emerging technologies. His experience includes managing large networking and messaging environments, assessing controls and establishing security requirements for large technology project implementations, driving change through leading an information security center of excellence, and influencing key technology and business stakeholders at all levels. Most recently, Tony led a penetration team that augmented the IT Audit program, providing a threat-based perspective to the standard general controls audit review process. For many years, Tony has had a keen interest in mobile security, specifically with mobile devices within a corporate environment, and is the project lead for the MobiSec Live Environment.<br />
<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Dynamic_DASTWAF_Integration&diff=125873OWASP AppSec DC 2012/Dynamic DASTWAF Integration2012-03-10T04:40:24Z<p>Dallendoug: added bio</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]The concept of dynamic application scanning testing (DAST) exporting data that is then imported into a web application firewall (WAF) for targeted remediation is not new. While this concept is certainly attractive to show risk reduction and reducing the time-to-fix metric, it is important to realize that you are not constrained to a "one way" data flow. WAFs have access to a tremendous amount of information that it can share with DAST to aid in application coverage and initiating on-demand assessments of new or change resources. This presentation will highlight how DASTs and WAFs can achieve a synergistic effect by dynamically sharing data. During the presentation, a working integration between the Arachni web application security scanner framework and the ModSecurity web application firewall will be presented.<br />
== The Speakers ==<br />
Ryan Barnett<br />
<br />
Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Research Team where he specializes in web application defense. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.<br />
Twitter account - @ryancbarnett<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Web_Application_Defense_with_Bayesian_Attack_Analysis&diff=125872OWASP AppSec DC 2012/Web Application Defense with Bayesian Attack Analysis2012-03-10T04:39:29Z<p>Dallendoug: added bio</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]Bayesian text classifiers have long been been successful in the fight against email SPAM. Why can't these same methods be used to help prevent against web-based attack payloads? This talk will demonstrate a working bayesian analysis system within the ModSecurity open source web application firewall which uses the Lua API to both classify and test payloads to identify attacks.<br />
== The Speakers ==<br />
Ryan Barnett<br />
<br />
Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Research Team where he specializes in web application defense. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.<br />
Twitter account - @ryancbarnett<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Private_information_Protection_in_Cloud_Computing_LawsCompliance_and_Cloud_Security_Misconceptions&diff=125871OWASP AppSec DC 2012/Private information Protection in Cloud Computing LawsCompliance and Cloud Security Misconceptions2012-03-10T04:30:33Z<p>Dallendoug: reformatted content and added Mikhail Utin bio</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]Cloud Computing (CC) is a distributed computing technology and thus is not new. Similar approach has been implemented in multiuser mainframe environment and in client-server architecture. What is completely new is that the technology is based on distributed legal entities' environment. Interfering computing resources and intersecting legal boundaries create completely new environment, which challenges security research. However, CC has been pushed and promoted by numerous providers as ready to use, without adequate security research.<br />
<br />
Usual consideration of CC security is based on common sense pure technical "data protection" concept, which completely ignores legal ground. In particular, this relates to Personal Information (PI) protection, which is mandated and regulated by numerous US and international laws. In our research we do an attempt to return to where CC security should be starting from _ laws and regulations.<br />
<br />
US laws protecting Personal Information, for instance federal HIPAA and Massachusetts MGL c.93H and 201 CMR 17.00 Standards, do not contain direct reference to technologies, but require owners of PI engage in certain binding relationship with service providers concerning PI protection. Thus, laws dictate completely different approach to CC security analysis, which should be base on whether and how such binding relationship could be implemented. We use a term of Chain of Trust to refer to such relationship. We need to note that tons of publications considering PI protection in CC environment simply ignore Chain of Trust matter. How often have we seen exact quote of a law and then interpretation concerning CC related PI protection issues and finally consideration of certain CC solution lawfulness? Not really often, or may be not at all.<br />
<br />
Our presentation returns the consideration of CC security to the legal ground. Our starting point is three laws covering one of the most vulnerable and wide industry _ health care _ HIPPA Security Rule and HITECH Act, and entire state of Massachusetts _ 201 CMR 17.00 Standards. Our research is based on the consideration of Service Models (SaaS, PaaS and IaaS) and Deployment Models (Private Cloud, Public Cloud and Hybrid Cloud) as they described in two NIST publications _ 800-144 and 800-146. Well organized, but missing serious consideration of PI protecting laws implication on CC services, these documents form a ground for our security research. Each of Service Models' and Deployment Models' legitimacy is considered on the basis of three above mentioned laws, and exact legal obstacles in their implementation are identified.<br />
<br />
We define our Chain of Trust concept in terms of requiring certain relationship between PI owner and service provider. Following that, we consider necessary binding agreements between PI owner and service provider, and if and how such relationship could be implemented by currently available managerial and technical security means. Finally, we consider some aspects of possible government audit of PI protection compliance. We return to the compliance original meaning instead of widely used but incorrect marketing driven interpretation. Our research provides practical ground and advising how to deal with required Chain of Trust in protecting of personal information in CC environment, and how to avoid future problems during government compliance audit.<br />
== The Speakers ==<br />
Mikhail Utin and Daniil Utin<br />
<br />
Mikhail Utin was born in Russia in 1948. He finished basic engineering education in 1975 and got MA in Computer Science and Electrical Engineering. His career in Russia included working for research and engineering organizations. He got a Ph.D. in Computer Science in 1988 from the then Academy of Science of the USSR. He was one of first entrepreneurs in Russia forming a private company. From 1988 to 1990 he successfully worked in the emerging Russian private sector creating an Information Technology company.<br />
<br />
Mikhail had several USSR patents and published numerous articles. He emigrated in the US in 1990 to continue his professional career and to escape from political turmoil. Here, in the US he has worked in information technology and information security fields for numerous companies and organizations including contracting for US government. He formed his own company for IT and IT security consulting in 1998.<br />
<br />
Mikhail is an (ISC)2 certified professional, and participates in ISSA as well. He publishes articles in Internet and professional journals, and is a proud reviewer of articles submitted to the (ISC)2's Information Security Journal: A Global Perspective.<br />
<br />
His research on SMB security problems to comply with US laws and regulations “US experience: Laws, Compliance, and Real Life - When everything seems right but simply does not work” was presented on DeepSec 2011. His current focus on IT security research is security governance, regulations and management affecting technology and security status.<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Access_Control&diff=125870OWASP AppSec DC 2012/Access Control2012-03-10T04:20:00Z<p>Dallendoug: Added Jim Manico Bio</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control anti-patters (problems), we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
== The Speakers ==<br />
Jim Manico<br />
<br />
Jim Manico is the VP of Security Architecture for WhiteHat Security. Jim is part of the WhiteHat Static Analysis Software Testing (SAST) team, leading the data-driven, Web service portion of the SAST service. He also provides secure coding and developer awareness training for WhiteHat using his 7+ years of experience delivering developer-training courses for SANS, Aspect Security and others.<br />
<br />
Jim brings 15 years of database-driven Web software development and analysis experience to WhiteHat. He has helped deliver Web-centric software systems for Sun Microsystem, Fox Media (MySpace), several Fortune 500's, and major NGO financial institutions. He holds expertise in a variety of areas, includingWeb-based J2EE development, thick-client and applet-based Java applications, hybrid Java, C++ and Flash applications, Web-based PHP applications, rich-media Web applications using advanced Ajax techniques, Python REST Webservice development, and Database technology using Oracle, MySQL and Postgres.<br />
<br />
A host of the OWASP Podcast Series, Jim is the committee chair of the OWASP Connections Committee and is a significant contributor to various OWASP projects.<br />
<br />
Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems&diff=125869OWASP AppSec DC 2012/Vulnerabilities in Industrial Control Systems2012-03-10T04:02:37Z<p>Dallendoug: added Kevin Hemsley bio</p>
<hr />
<div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
[[Image:Owasp_logo_normal.jpg|right]]In 2011 ICS-CERT experienced a dramatic increase in reported disclosures of vulnerabilities in industrial control system (ICS) products. Security researchers (white, gray, and black hats) across the globe are increasing their research in the ICS product arena and the potential impact to critical infrastructure. Coordinated vulnerability disclosures of control system products are increasing rapidly, but so are the instances of unanticipated or full disclosures.<br />
<br><br />
The once obscure world of ICS security is now a hot topic in the media and around the water cooler. This presentation will discuss the daunting trends in the disclosure of ICS product vulnerabilities, who is disclosing new vulnerabilities, and the coordination process used by ICS-CERT. We will also discuss what concerning trends ICS-CERT is seeing, including recent hacktivist and anarchist group activity.<br />
== The Speakers ==<br />
Kevin Hemsly<br />
<br />
Kevin Hemsley is the Vulnerability Handling Lead for the US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT). ICS-CERT provides a control system security focus to improve the cyber security posture and assist owners and operators of US critical infrastructure assets. Kevin leads the ICS-CERT Vulnerability Handling team that works with independent security researchers and control system vendors from around the world to identify and mitigate vulnerabilities in control system products. Kevin has more than 20 years experience in cyber security ranging from network security to control system and SCADA security.<br />
<br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Schedule/4-4-2012&diff=125741OWASP AppSec DC 2012/Schedule/4-4-20122012-03-08T02:30:25Z<p>Dallendoug: </p>
<hr />
<div>{| border=1 <br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5"> '''Plenary Day 1 - 4/4/2012'''</font><br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd |<br />
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools<br />
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies<br />
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT<br />
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate&#33;<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM<br />
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense DOMJacking - Attack, Exploit and Defense]<br><br><br />
Shreeraj Shah<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries The Unfortunate Reality of Insecure Libraries]<br><br><br />
Jeff Williams and Arshan Dabirsiaghi<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2 Python Basics for Web App Pentesters - Part 2]<br><br><br />
Justin Searle<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement Integrating Application Security into your Lifecycle and Procurement]<br><br><br />
John Steven<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit Attacking CAPTCHAs for Fun and Profit]<br><br><br />
Gursev Singh Kalra<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Case_Study_How_New_Software_Assurance_Policy_Reduces_Riskand_Costs Case Study: How New Software Assurance Policy Reduces Risk and Costs]<br><br><br />
Rob Roy and John Keane<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed]<br><br><br />
Joshua Corman<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Lunch<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:00 PM - 2:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts Hacking .NET(C#) Applications: The Black Arts]<br><br><br />
Jon McCoy<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment Security at scale: Web application security in a continuous deployment environment]<br><br><br />
Zane Lackey<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career The "Easy" Button for Your Web Application Security Career]<br><br><br />
Salvador Grec<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF Risk Analysis and Measurement with CWRAF]<br><br><br />
Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:50 PM - 3:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:00 PM - 3:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release OWASP Broken Web Applications (OWASP BWA) 1.0 Release]<br><br><br />
Chuck Willis<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |<br />
[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry Security Is Like An Onion, That's Why It Makes You Cry]<br><br><br />
Michele Chubirka<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw Anatomy of a Logic Flaw]<br><br><br />
Charles Henderson and David Byrne<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:50 PM - 4:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:00 PM - 4:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web New and Improved Hacking Oracle from Web]<br><br><br />
Sumit Siddharth<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/State_of_Web_Security State of Web Security]<br><br><br />
Robert Rowley<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them Old Webshells, New Tricks -- How Persistent Threats have revived an old idea, and how you can detect them.]<br><br><br />
Ryan Kazanciyan<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Fed_Panel Fed Panel]<br><br><br />
TBA<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:50 PM - 5:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 5:00 PM - 5:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS Unraveling some of the Mysteries around DOM-based XSS]<br><br><br />
Dave Wichers<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/2012_Global_Security_Report 2012 Global Security Report]<br><br><br />
Tom Brennan and Nick Percoco<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems Survivable Software for Cyber-Physical Systems]<br><br><br />
Karen Mercedes Goertzel<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 6:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Opportunity<br />
|}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Schedule/4-4-2012&diff=125309OWASP AppSec DC 2012/Schedule/4-4-20122012-03-01T17:21:38Z<p>Dallendoug: fixed date issue.</p>
<hr />
<div>{| border=1 <br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5"> '''Plenary Day 1 - 4/4/2012'''</font><br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd |<br />
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools<br />
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies<br />
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT<br />
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate&#33;<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM<br />
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board]<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM<br />
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense DOMJacking - Attack, Exploit and Defense]<br><br><br />
Shreeraj Shah<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries The Unfortunate Reality of Insecure Libraries]<br><br><br />
Jeff Williams and Arshan Dabirsiaghi<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2 Python Basics for Web App Pentesters - Part 2]<br><br><br />
Justin Searle<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement Integrating Application Security into your Lifecycle and Procurement]<br><br><br />
John Steven<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit Attacking CAPTCHAs for Fun and Profit]<br><br><br />
Gursev Singh Kalra<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Case_Study_How_New_Software_Assurance_Policy_Reduces_Riskand_Costs Case Study: How New Software Assurance Policy Reduces Risk and Costs]<br><br><br />
Rob Roy and John Keane<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed]<br><br><br />
Joshua Corman<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Lunch<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:00 PM - 2:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts Hacking .NET(C#) Applications: The Black Arts]<br><br><br />
Jon McCoy<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment Security at scale: Web application security in a continuous deployment environment]<br><br><br />
Zane Lackey<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career The "Easy" Button for Your Web Application Security Career]<br><br><br />
Salvador Grec<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF Risk Analysis and Measurement with CWRAF]<br><br><br />
Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 2:50 PM - 3:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:00 PM - 3:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release OWASP Broken Web Applications (OWASP BWA) 1.0 Release]<br><br><br />
Chuck Willis<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/2012_Global_Security_Report 2012 Global Security Report]<br><br><br />
Tom Brennan and Nick Percoco<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw Anatomy of a Logic Flaw]<br><br><br />
Charles Henderson and David Byrne<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 3:50 PM - 4:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:00 PM - 4:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web New and Improved Hacking Oracle from Web]<br><br><br />
Sumit Siddharth<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/State_of_Web_Security State of Web Security]<br><br><br />
Robert Rowley<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them Old Webshells, New Tricks -- How Persistent Threats have revived an old idea, and how you can detect them.]<br><br><br />
Ryan Kazanciyan<br />
| align=center rowspan=3 width=200 valign=middle height=60 bgcolor=#b3ff99 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Fed_Panel Fed Panel]<br><br><br />
TBA<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 4:50 PM - 5:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 5:00 PM - 5:50 PM<br />
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS Unraveling some of the Mysteries around DOM-based XSS]<br><br><br />
Dave Wichers<br />
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry Security Is Like An Onion, That's Why It Makes You Cry]<br><br><br />
Michele Chubirka<br />
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems Survivable Software for Cyber-Physical Systems]<br><br><br />
Karen Mercedes Goertzel<br />
|- <br />
| width=72 valign=middle bgcolor=#7b8abd | 6:00 PM<br />
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Oppertunity<br />
|}</div>Dallendoughttps://wiki.owasp.org/index.php?title=File:AppSecDC2012-Sponsor-sideas.gif&diff=123876File:AppSecDC2012-Sponsor-sideas.gif2012-02-07T05:25:22Z<p>Dallendoug: uploaded a new version of &quot;File:AppSecDC2012-Sponsor-sideas.gif&quot;: update of secure ideas logo</p>
<hr />
<div>Revised logo for Secure Ideas for AppSec DC 2012</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012_Footer&diff=123875OWASP AppSec DC 2012 Footer2012-02-07T05:23:21Z<p>Dallendoug: </p>
<hr />
<div><br />
{| cellspacing="10" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" <br />
|- <br />
| <h2>Gold Sponsors</h2> <br />
| [[Image:AppSecDC2009-Sponsor-aspect.gif|link=http://www.aspectsecurity.com/]]<br />
| [[Image:AppSecDC2009-Sponsor-securicon.gif|link=http://www.securicon.com]]<br />
| [[Image:AppSecDC2009-Sponsor-mandiant.gif|link=http://www.mandiant.com/]]<br />
| [[Image:AppSecDC2010-Sponsor-trustwave.gif|link=https://www.trustwave.com/]]<br />
|-<br />
| <h2>Small Business</h2><br />
| [[Image:AppSecDC2012-Sponsor-sideas.gif|link=http://www.secureideas.net]]<br />
|}<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2012]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012&diff=123874OWASP AppSec DC 20122012-02-07T05:22:39Z<p>Dallendoug: /* Sponsors */</p>
<hr />
<div>__NOTOC__ <br />
<br />
{{:OWASP AppSec DC 2012 Header}}<br />
<br />
=Welcome= <br />
<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2012 conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. <br />
<br />
AppSecDC 2012 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on April 2nd through 5th 2012. <br />
<br />
'''Who Should Attend AppSec DC:''' <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interested in Improving IT Security<br><br />
<br />
'''[[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]'''<br />
<br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- Twitter Box --> <br />
<br />
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL --><br />
<!-- There be dragons here --><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [[Image:AppSecDC-160x160-banner-2012.jpg]] <br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC12]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
=CFP=<br />
===NOTICE===<br />
'''Many of you have written to us asking about the requirement for a paper in our CFP hosted on EasyChair. Due to an unforseen change in the way EasyChair works, you are no longer able to configure a submission to require only an abstract as we thought we had done, and done in the past. To be clear, we are ***NOT*** requiring papers with our CFP submissions. As we have already started the CFP and can not move the platform we ask that anyone who does not have a paper simply submit their abstract as a .txt file to satisfy the systems requirement to upload a paper.'''<br />
<br />
<br />
We apologize for this inconvience and the confusion it has caused and as a result of the confusion, we are extending the AppSec DC CFP deadline to '''Feburary 17th 2012 at 11:59 EST''' to allow all to submit their topics.<br />
<br />
<br />
===Submissions===<br />
Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.<br />
<br />
To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.<br />
<br />
<br />
===Topics===<br />
In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.<br />
<br />
The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:<br />
<br />
*OWASP Projects<br />
*Research in Application Security Defense (Defense & Countermeasures)<br />
*Research in Application Security Offense (Vulnerabilities & Exploits)<br />
*Web Application Security<br />
*Critical Infrastructure Security<br />
*Mobile Security<br />
*Government Initiatives & Government Case Studies<br />
*Effective Case studies in Policy, Governance, Architecture or Life Cycle<br />
*and other application security topics<br />
<br />
Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.<br />
<br />
To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.<br />
<br />
Additional information can be found in the [[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]. <br />
<br />
= Registration =<br />
<br />
== Register [http://reg.appsecdc.org Here] ==<br />
<br />
<br />
Registration is now '''<span style="color:#0f0">OPEN</span>'''.<br><br />
You can register via at '''[http://reg.appsecdc.org http://reg.appsecdc.org]'''<br />
<br />
===Registration Fees===<br />
{| class="wikitable"<br />
|-<br />
! Ticket Type<br />
! Early (until 2/3)<br />
! Regular Price (until 3/15)<br />
! Late (after 3/15)<br />
|-<br />
| Non-Member<br />
| style="background: #cef2e0;" | $445.00<br />
| $495.00<br />
| $545.00<br />
|-<br />
| Non-Member plus 1 year OWASP Membership!<br />
| style="background: #cef2e0;" | $445.00<br />
| $495.00<br />
| $545.00<br />
|-<br />
| Active OWASP Member<br />
| style="background: #cef2e0;" | $395.00<br />
| $445.00<br />
| $495.00<br />
|-<br />
| Student<br />
| style="background: #cef2e0;" | $75.00<br />
| $75.00<br />
| $100.00<br />
|}<br />
<br />
{| class="wikitable"<br />
|-<br />
! Course<br />
! Fee<br />
|-<br />
| 1 Day Training<br />
| $745 <br />
|-<br />
| 2 Day Training<br />
| $1495<br />
|}<br />
<br />
'''ATTENTION FEDERAL EMPLOYEES: Enter code ASDC12FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)<br />
<br> For student discount, attendees must present proof of enrollment when picking up your badge.<br />
<br />
'''Group Discounts'''<br />
* 10% off for groups of 10-19<br />
* 20% off for groups of 20-29<br />
* 30% off for groups of 30 or more<br />
<br />
===Who Should Attend AppSec DC 2012=== <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interesting in Improving IT Security<br />
*Anyone interested in learning about or promoting Web Application Security<br><br />
<br><br />
<br />
= Volunteer =<br />
<br />
== Volunteers Needed! ==<br />
<br />
Get involved! <br />
<br />
We will take all the help we can get to pull off the best Web Application Security Conference of the year! <br />
<br />
More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.<br />
<br />
To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org]<br />
<br />
= Schedule =<br />
<br />
{{:OWASP AppSec DC 2012 Schedule}}<br />
<br />
= Training =<br />
<br />
== Training ==<br />
Call for papers is now OPEN until December 15th 2011. Submit proposals to [https://docs.google.com/a/owasp.org/spreadsheet/viewform?hl=en_US&formkey=dGZGcy0tRlpBb0pZaWROeVFyZGdmckE6MQ#gid=0 http://training.appsecdc.org]<br />
<br />
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.<br />
<br />
Price per attendee (conference Registration is a separate item): <br />
* 2-Day Class $1495<br />
* 1-Day Class $745<br />
<br />
== 2 Day Classes ==<br />
==='''Assessing and Exploiting Web Applications with Samurai-WTF''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Assessing and Exploiting Web Applications with Samurai-WTF|Course Detail]]===<br />
Come take the official Samurai-WTF training course given by the two founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the penetration and exploitation of various web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools. <br />
<br />
==='''Building Secure Android Apps''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Building Secure Android Apps|Course Detail]]===<br />
The course focuses on building secure mobile applications for the Android platform. Students will learn about the Android security model and platform security features. They will be introduced to mobile application threat modeling, and learn how to apply the outcomes of threat modeling directly into their design and development processes. The OWASP Mobile Top 10 Risks and Controls will be covered at great length.<br> <br>After students are taught foundational information, they will learn how to properly use the various Android components and APIs to reduce the amount of vulnerabilities within production code. Hands-on labs will use the vulnerable mobile Android applications provided by the OWASP GoatDroid project. Students will learn many techniques for performing source code reviews, penetration testing, and forensic analysis of Android applications. Hands-on exercises represent a large portion of the course. Each concept presented will include examples of insecure and secure code, along with strategies for remediation. By teaching students how to identify and exploit various security flaws, they will gain a greater understanding of how the security controls actually protect their applications.<br> <br>At the end of this two-day course, attendees should understand how to build secure applications, perform source code reviews, and perform penetration testing for Android applications. They will also understand and be able to demonstrate expertise at applying security controls to applications for addressing many security defects. Each student will ultimately take back with them to their workplace a repeatable and reliable methodology for building and maintaining secure Android applications.<br><br />
<br />
==='''Defense Against The Dark Arts - ESAPI''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Defense Against The Dark Arts - ESAPI|Course Detail]]===<br />
This course will focus on using the OWASP ESAPI for Java to solve real-world security issues. In the course students will learn how to leverage the ESAPI library to design and implement reusable security controls in an enterprise environment. This is a laptops out event and students will walk away with a toolkit of reusable components that they can use in real situation to solve security issues in Java applications.<br />
<br />
==='''Secure Web Application Development Training''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Secure Web Application Development Training|Course Detail]]===<br />
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand. Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code. <br />
<br />
==='''The Art of exploiting Injection Flaws''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/The Art of exploiting Injection Flaws|Course Detail]]===<br />
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1. This hands-on session will only focus on the injection flaws and the attendees will get an "in-depth" understanding of the flaws arising from this vulnerability. The topics covered in the class are, SQL Injection, XPATH Injection, LDAP Injection, Hibernate Query Language Injection, Direct OS Code Injection, and XML Entity Injection. The workshop covers classical issues such as SQL Injection, which is an oldie yet very relevant in today's scenario as well as some lesser known injection flaws such as LDAP, XPATH and XML Injection. During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered.<br />
<br />
==='''Virtual Patching Workshop''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Virtual Patching Workshop|Course Detail]]===<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br><br>This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
== 1 Day Classes ==<br />
==='''Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA ''' | 1 Day (4/2/2012) | [[OWASP_AppSec_DC_2012/Training/Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA |Course Detail]]===<br />
Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities across Web 2.0, RIA and HTML5. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, techniques and tools to address top set of vulnerabilities. Knowledge gained would help in analyzing and securing next generation enterprise applications at all different stages - architecture, design and/or development. The course is designed and delivered by the author of "Web Hacking: Attacks and Defenses", ?Hacking Web Services? and ?Web 2.0 Security ? Defending Ajax, RIA and SOA?, bringing his experience in application security and research to the curriculum. <br />
<br />
==='''Pratical Threat Modeling''' | 1 Day (4/2/2012) | [[OWASP_AppSec_DC_2012/Training/Pratical Threat Modeling|Course Detail]]===<br />
Threat modeling is gaining traction as a fundamental application security activity. In this class students learn about the attacks that their applications may face and then both formal and informal approaches to threat modeling. Using a fictional scenario, students perform all the activities of a threat model on a complex application ? including analyzing design documents and role-playing interviews. Students learn about the industry standard formal threat modeling process as well as Facilitated Application Threat Modeling: a 1-day approach to threat modeling pioneered by Security Compass. Students will also be taught about Security Compass?s unique source-code/design-pattern level threat modeling.<br><br />
<br />
==='''Mobile Hacking and Securing''' | 1 Day (4/3/2012)| [[OWASP_AppSec_DC_2012/Training/Mobile Hacking and Securing|Course Detail]]===<br />
Students will discover mobile hacking techniques for Android and iPhone. They will understand the platform security models, device security models, app analysis, file system analysis and runtime analysis for these popular mobile operating systems. This course will provide students with the knowledge necessary to assess mobile app security including what hackers look for in mobile apps. Hacking apps themselves will equip them with the skills required to protect their own apps from attacks. Students will come out with an understanding of the pitfalls to mobile device security and the importance of developing mobile apps securely. They will learn the concepts necessary to securely develop mobile in your organization.<br><br />
<br />
==='''WebAppSec: Developing Secure Web Applications''' | 1 Day (4/3/2012)| [[OWASP_AppSec_DC_2012/Training/WebAppSec: Developing Secure Web Applications|Course Detail]]===<br />
Web applications continue to be the frontier of wide-spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP?s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages. <span style="color: #800000;">This course was sold out at AppSec USA 2011.</span><br />
<br />
= Contests =<br />
<br />
== OWASP Member Door Prizes! ==<br />
Are you an [[Membership|OWASP Member]]? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration! So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!<br />
<br />
This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.<br />
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.<br />
Contests consist of:<br />
<br />
TBD<br />
<br />
= Venue =<br />
<br />
== Walter E. Washington Convention Center ==<br />
<br />
AppSec DC 2012 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC. <br />
<br />
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=8131721 here]). <br />
<br />
[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]<br />
<br />
= Hotel =<br />
<br />
Rooms are available at the Grand Hyatt Washington at the GSA Rate for April of 2012.<br />
<br />
Reserve Rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=8131721 here]!<br />
<br />
Room Rates are only guaranteed through the first week of March. Rooms at the discounted rates are available three days before and after the conference dates for attendees wishing to enjoy Washington DC during the National Cherry Blossom Festival.<br />
<br />
=Sponsors =<br />
<br />
== Sponsors ==<br />
<br />
We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our '''[https://www.owasp.org/images/d/df/APPSEC_DC_2012_sponsorships_v1.pdf sponsorship opportunities]''' for details. <br />
Please contact us at [mailto:sponsors@appsecdc.org sponsors@appsecdc.org] for sponsorship opportunities.<br />
<br />
The OWASP AppSec DC Conference is the premier gathering for Information Security leaders. Executives from the US Government, Fortune 500 firms, technical thought leaders, security architects and lead developers, gather to share cutting-edge ideas, initiatives and technology advancements. AppSec DC will be one of the first OWASP conferences to highlight the new OWASP scope expanding from web to all application security issues.<br />
<br />
Attendees will be pushed through the Expo floor for breakfast, lunch and coffee breaks giving them direct access to sponsors’ booths and technology. OWASP will also be hosting a “sponsor passport” game with a top prize to help encourage traffic to all of our Gold, Platinum and Diamond sponsors. The conference is expected to draw over 600 national and international attendees; all with budgets dedicated to web application security and software assurance initiatives. Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals will be represented.<br />
<br />
<center>[[Image:AppSecDC 2012 sponsor matrix.png]]</center><br />
<br />
{| cellspacing="10" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" <br />
|- <br />
| <h2>Gold Sponsors</h2> <br />
| [[Image:AppSecDC2009-Sponsor-aspect.gif|link=http://www.aspectsecurity.com/]]<br />
| [[Image:AppSecDC2009-Sponsor-securicon.gif|link=http://www.securicon.com]]<br />
| [[Image:AppSecDC2009-Sponsor-mandiant.gif|link=http://www.mandiant.com/]]<br />
| [[Image:AppSecDC2010-Sponsor-trustwave.gif|link=https://www.trustwave.com/]]<br />
|-<br />
| &nbsp;<br />
| <h2>Small Business</h2><br />
| [[Image:AppSecDC2012-Sponsor-sideas.gif|link=http://www.secureideas.net]]<br />
|-<br />
| &nbsp;<br />
| <h2>Item Sponsors</h2><br />
| [[Image:AppSecDC2012-Sponsor-NVisium.png|link=https://www.nvisiumsecurity.com/]]<br />
|}<br />
<br />
= Travel =<br />
<br />
== Traveling to the DC Metro Area ==<br />
<br />
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab. <br />
<br />
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt. <br />
<br />
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro]. <br />
<br />
= Conference Committee =<br />
<br />
===Organizers=== <br />
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]<br />
<br />
* [mailto:doug.wilson@owasp.org Doug Wilson]<br />
* [mailto:mark.bristow@owasp.org Mark Bristow]<br />
<br />
===Arch-Minions=== <br />
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]<br />
<br />
* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])<br />
<br />
* Content ([mailto:content@appsecdc.org content@appsecdc.org])<br />
<br />
* Press ([mailto:press@appsecdc.org press@appsecdc.org])<br />
<br />
* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])<br />
<br />
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])<br />
<br />
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])<br />
<br />
* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])<br />
<br />
* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])<br />
<br />
=FAQ=<br />
{{:OWASP AppSec DC 2012 - FAQ}}<br />
<br />
<headertabs /> <br />
<br />
<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=File:AppSecDC2012-Sponsor-sideas.gif&diff=123873File:AppSecDC2012-Sponsor-sideas.gif2012-02-07T05:21:53Z<p>Dallendoug: Revised logo for Secure Ideas for AppSec DC 2012</p>
<hr />
<div>Revised logo for Secure Ideas for AppSec DC 2012</div>Dallendoughttps://wiki.owasp.org/index.php?title=File:AppSecDC2012-sponsor-secureideas.gif&diff=123872File:AppSecDC2012-sponsor-secureideas.gif2012-02-07T05:21:19Z<p>Dallendoug: uploaded a new version of &quot;File:AppSecDC2012-sponsor-secureideas.gif&quot;: Reverted to version as of 02:25, 2 February 2012</p>
<hr />
<div></div>Dallendoughttps://wiki.owasp.org/index.php?title=File:AppSecDC2012-sponsor-secureideas.gif&diff=123871File:AppSecDC2012-sponsor-secureideas.gif2012-02-07T05:16:33Z<p>Dallendoug: uploaded a new version of &quot;File:AppSecDC2012-sponsor-secureideas.gif&quot;</p>
<hr />
<div></div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012&diff=122967OWASP AppSec DC 20122012-01-20T04:21:45Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__ <br />
<br />
{{:OWASP AppSec DC 2012 Header}}<br />
<br />
=Welcome= <br />
<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2012 conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. <br />
<br />
AppSecDC 2012 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on April 2nd through 5th 2012. <br />
<br />
'''Who Should Attend AppSec DC:''' <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interested in Improving IT Security<br><br />
<br />
'''[[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]'''<br />
<br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- Twitter Box --> <br />
<br />
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL --> <br />
[[Image:Threestarforsite.png]] <br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC12]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
=CFP=<br />
===NOTICE===<br />
'''Many of you have written to us asking about the requirement for a paper in our CFP hosted on EasyChair. Due to an unforseen change in the way EasyChair works, you are no longer able to configure a submission to require only an abstract as we thought we had done, and done in the past. To be clear, we are ***NOT*** requiring papers with our CFP submissions. As we have already started the CFP and can not move the platform we ask that anyone who does not have a paper simply submit their abstract as a .txt file to satisfy the systems requirement to upload a paper.'''<br />
<br />
<br />
We apologize for this inconvience and the confusion it has caused and as a result of the confusion, we are extending the AppSec DC CFP deadline to '''Feburary 17th 2012 at 11:59 EST''' to allow all to submit their topics.<br />
<br />
<br />
===Submissions===<br />
Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.<br />
<br />
To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.<br />
<br />
<br />
===Topics===<br />
In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.<br />
<br />
The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:<br />
<br />
*OWASP Projects<br />
*Research in Application Security Defense (Defense & Countermeasures)<br />
*Research in Application Security Offense (Vulnerabilities & Exploits)<br />
*Web Application Security<br />
*Critical Infrastructure Security<br />
*Mobile Security<br />
*Government Initiatives & Government Case Studies<br />
*Effective Case studies in Policy, Governance, Architecture or Life Cycle<br />
*and other application security topics<br />
<br />
Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.<br />
<br />
To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.<br />
<br />
Additional information can be found in the [[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]. <br />
<br />
= Registration =<br />
<br />
== Register [http://reg.appsecdc.org Here] ==<br />
<br />
<br />
Registration is now '''<span style="color:#0f0">OPEN</span>'''.<br><br />
You can register via at '''[http://reg.appsecdc.org http://reg.appsecdc.org]'''<br />
<br />
===Registration Fees===<br />
{| class="wikitable"<br />
|-<br />
! Ticket Type<br />
! Early (until 2/1)<br />
! Regular Price (until 3/15)<br />
! Late (after 3/15)<br />
|-<br />
| Non-Member<br />
| style="background: #cef2e0;" | $445.00<br />
| $495.00<br />
| $545.00<br />
|-<br />
| Non-Member plus 1 year OWASP Membership!<br />
| style="background: #cef2e0;" | $445.00<br />
| $495.00<br />
| $545.00<br />
|-<br />
| Active OWASP Member<br />
| style="background: #cef2e0;" | $395.00<br />
| $445.00<br />
| $495.00<br />
|-<br />
| Student<br />
| style="background: #cef2e0;" | $75.00<br />
| $75.00<br />
| $100.00<br />
|}<br />
<br />
{| class="wikitable"<br />
|-<br />
! Course<br />
! Fee<br />
|-<br />
| 1 Day Training<br />
| $745 <br />
|-<br />
| 2 Day Training<br />
| $1495<br />
|}<br />
<br />
'''ATTENTION FEDERAL EMPLOYEES: Enter code ASDC12FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)<br />
<br> For student discount, attendees must present proof of enrollment when picking up your badge.<br />
<br />
'''Group Discounts'''<br />
* 10% off for groups of 10-19<br />
* 20% off for groups of 20-29<br />
* 30% off for groups of 30 or more<br />
<br />
===Who Should Attend AppSec DC 2012=== <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interesting in Improving IT Security<br />
*Anyone interested in learning about or promoting Web Application Security<br><br />
<br><br />
<br />
= Volunteer =<br />
<br />
== Volunteers Needed! ==<br />
<br />
Get involved! <br />
<br />
We will take all the help we can get to pull off the best Web Application Security Conference of the year! <br />
<br />
More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.<br />
<br />
To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org]<br />
<br />
= Schedule =<br />
<br />
{{:OWASP AppSec DC 2012 Schedule}}<br />
<br />
= Training =<br />
<br />
== Training ==<br />
Call for papers is now OPEN until December 15th 2011. Submit proposals to [https://docs.google.com/a/owasp.org/spreadsheet/viewform?hl=en_US&formkey=dGZGcy0tRlpBb0pZaWROeVFyZGdmckE6MQ#gid=0 http://training.appsecdc.org]<br />
<br />
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.<br />
<br />
Price per attendee (conference Registration is a separate item): <br />
* 2-Day Class $1495<br />
* 1-Day Class $745<br />
<br />
== 2 Day Classes ==<br />
==='''Assessing and Exploiting Web Applications with Samurai-WTF''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Assessing and Exploiting Web Applications with Samurai-WTF|Course Detail]]===<br />
Come take the official Samurai-WTF training course given by the two founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the penetration and exploitation of various web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools. <br />
<br />
==='''Building Secure Android Apps''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Building Secure Android Apps|Course Detail]]===<br />
The course focuses on building secure mobile applications for the Android platform. Students will learn about the Android security model and platform security features. They will be introduced to mobile application threat modeling, and learn how to apply the outcomes of threat modeling directly into their design and development processes. The OWASP Mobile Top 10 Risks and Controls will be covered at great length.<br> <br>After students are taught foundational information, they will learn how to properly use the various Android components and APIs to reduce the amount of vulnerabilities within production code. Hands-on labs will use the vulnerable mobile Android applications provided by the OWASP GoatDroid project. Students will learn many techniques for performing source code reviews, penetration testing, and forensic analysis of Android applications. Hands-on exercises represent a large portion of the course. Each concept presented will include examples of insecure and secure code, along with strategies for remediation. By teaching students how to identify and exploit various security flaws, they will gain a greater understanding of how the security controls actually protect their applications.<br> <br>At the end of this two-day course, attendees should understand how to build secure applications, perform source code reviews, and perform penetration testing for Android applications. They will also understand and be able to demonstrate expertise at applying security controls to applications for addressing many security defects. Each student will ultimately take back with them to their workplace a repeatable and reliable methodology for building and maintaining secure Android applications.<br><br />
<br />
==='''Defense Against The Dark Arts - ESAPI''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Defense Against The Dark Arts - ESAPI|Course Detail]]===<br />
This course will focus on using the OWASP ESAPI for Java to solve real-world security issues. In the course students will learn how to leverage the ESAPI library to design and implement reusable security controls in an enterprise environment. This is a laptops out event and students will walk away with a toolkit of reusable components that they can use in real situation to solve security issues in Java applications.<br />
<br />
==='''Secure Web Application Development Training''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Secure Web Application Development Training|Course Detail]]===<br />
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand. Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code. <br />
<br />
==='''The Art of exploiting Injection Flaws''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/The Art of exploiting Injection Flaws|Course Detail]]===<br />
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1<br><br> <br><br>This hands-on session will only focus on the injection flaws and the attendees will get an "in-depth" understanding of the flaws arising from this vulnerability. The topics covered in the class are:<br><br> <br><br>SQL Injection <br>XPATH Injection<br>LDAP Injection<br>Hibernate Query Language Injection<br>Direct OS Code Injection<br>XML Entity Injection<br>The workshop covers classical issues such as SQL Injection, which is an oldie yet very relevant in today's scenario as well as some lesser known injection flaws such as LDAP, XPATH and XML Injection.<br><br>During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered.<br />
<br />
==='''Virtual Patching Workshop''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Virtual Patching Workshop|Course Detail]]===<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br><br>This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
== 1 Day Classes ==<br />
==='''Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA ''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA |Course Detail]]===<br />
Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities across Web 2.0, RIA and HTML5. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, techniques and tools to address top set of vulnerabilities. Knowledge gained would help in analyzing and securing next generation enterprise applications at all different stages - architecture, design and/or development. The course is designed and delivered by the author of "Web Hacking: Attacks and Defenses", ?Hacking Web Services? and ?Web 2.0 Security ? Defending Ajax, RIA and SOA?, bringing his experience in application security and research to the curriculum. <br />
<br />
==='''Mobile Hacking and Securing''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Mobile Hacking and Securing|Course Detail]]===<br />
Students will discover mobile hacking techniques for Android and iPhone. They will understand the platform security models, device security models, app analysis, file system analysis and runtime analysis for these popular mobile operating systems.<br><br>This course will provide students with the knowledge necessary to assess mobile app security including what hackers look for in mobile apps. Hacking apps themselves will equip them with the skills required to protect their own apps from attacks.<br><br>Students will come out with an understanding of the pitfalls to mobile device security and the importance of developing mobile apps securely. They will learn the concepts necessary to securely develop mobile in your organization.<br><br />
<br />
==='''Pratical Threat Modeling''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Pratical Threat Modeling|Course Detail]]===<br />
Threat modeling is gaining traction as a fundamental application security activity. In this class students learn about the attacks that their applications may face and then both formal and informal approaches to threat modeling. Using a fictional scenario, students perform all the activities of a threat model on a complex application ? including analyzing design documents and role-playing interviews. Students learn about the industry standard formal threat modeling process as well as Facilitated Application Threat Modeling: a 1-day approach to threat modeling pioneered by Security Compass. Students will also be taught about Security Compass?s unique source-code/design-pattern level threat modeling.<br><br />
<br />
==='''WebAppSec: Developing Secure Web Applications''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/WebAppSec: Developing Secure Web Applications|Course Detail]]===<br />
Web applications continue to be the frontier of wide-spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP?s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages. <span style="color: #800000;">This course was sold out at AppSec USA 2011.</span><br />
<br />
= Contests =<br />
<br />
== OWASP Member Door Prizes! ==<br />
Are you an [[Membership|OWASP Member]]? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration! So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!<br />
<br />
This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.<br />
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.<br />
Contests consist of:<br />
<br />
TBD<br />
<br />
= Venue =<br />
<br />
== Walter E. Washington Convention Center ==<br />
<br />
AppSec DC 2012 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC. <br />
<br />
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=8131721 here]). <br />
<br />
[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]<br />
<br />
= Hotel =<br />
<br />
Rooms are available at the Grand Hyatt Washington at the GSA Rate for April of 2012.<br />
<br />
Reserve Rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=8131721 here]!<br />
<br />
Room Rates are only guaranteed through the first week of March. Rooms at the discounted rates are available three days before and after the conference dates for attendees wishing to enjoy Washington DC during the National Cherry Blossom Festival.<br />
<br />
=Sponsors =<br />
<br />
== Sponsors ==<br />
<br />
We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our '''[https://www.owasp.org/images/d/df/APPSEC_DC_2012_sponsorships_v1.pdf sponsorship opportunities]''' for details. <br />
Please contact us at [mailto:sponsors@appsecdc.org sponsors@appsecdc.org] for sponsorship opportunities.<br />
<br />
<!-- Slots are going fast so contact us to sponsor today! --><br />
<br />
= Travel =<br />
<br />
== Traveling to the DC Metro Area ==<br />
<br />
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab. <br />
<br />
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt. <br />
<br />
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro]. <br />
<br />
= Conference Committee =<br />
<br />
===Organizers=== <br />
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]<br />
<br />
* [mailto:doug.wilson@owasp.org Doug Wilson]<br />
* [mailto:mark.bristow@owasp.org Mark Bristow]<br />
<br />
===Arch-Minions=== <br />
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]<br />
<br />
* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])<br />
<br />
* Content ([mailto:content@appsecdc.org content@appsecdc.org])<br />
<br />
* Press ([mailto:press@appsecdc.org press@appsecdc.org])<br />
<br />
* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])<br />
<br />
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])<br />
<br />
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])<br />
<br />
* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])<br />
<br />
* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])<br />
<br />
=FAQ=<br />
{{:OWASP AppSec DC 2012 - FAQ}}<br />
<br />
<headertabs /> <br />
<br />
<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=121322Washington DC2011-12-09T21:17:40Z<p>Dallendoug: updated with speaker bio</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br><br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting if you plan on attending<br><br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
<br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''Ken Johnson''' and (maybe) '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
::Ken Johnson is a Senior Security Architect for LivingSocial.com responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty<br><br><br />
<br />
:'''Chris Gates'''<br />
<br />
::TBD<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
<br><br><br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=121245Washington DC2011-12-09T04:53:20Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br><br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting if you plan on attending<br><br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
<br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''Ken Johnson''' and '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
::Coming Soon<br><br><br />
<br />
:'''Chris Gates'''<br />
<br />
::Coming Soon<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
<br><br><br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=121244Washington DC2011-12-09T04:52:37Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting if you plan on attending<br><br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
<br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''Ken Johnson''' and '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
::Coming Soon<br><br><br />
<br />
:'''Chris Gates'''<br />
<br />
::Coming Soon<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
<br><br><br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=121243Washington DC2011-12-09T04:51:24Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting if you plan on attending<br><br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br><br />
<br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''Ken Johnson''' and '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
:'''Chris Gates'''<br />
<br />
::Coming Soon<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
<br><br><br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=121242Washington DC2011-12-09T04:46:37Z<p>Dallendoug: updated for December Meeting at LS</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br><br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting if you plan on attending<br><br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
'''Our [https://www.regonline.com/owaspdcdecember2011 next meeting] is December 21st at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''Ken Johnson''' and '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!<br />
<br />
<br />
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Ken Johnson'''<br />
<br />
:'''Chris Gates'''<br />
<br />
::Coming Soon<br><br><br />
<br />
::'''Abstract: Updates in wXf''' - Coming Soon<br><br />
<br />
<br><br><br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br />
<br />
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
<br><br />
<br />
'''Speakers'''<br><br />
<br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012&diff=118962OWASP AppSec DC 20122011-10-12T15:26:23Z<p>Dallendoug: updated w/ CFP tab.</p>
<hr />
<div>__NOTOC__ <br />
<br />
{{:OWASP AppSec DC 2012 Header}}<br />
<br />
====Welcome==== <br />
<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2012 conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. <br />
<br />
AppSecDC 2012 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on April 2nd through 5th 2012. <br />
<br />
'''Who Should Attend AppSec DC:''' <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interested in Improving IT Security<br><br />
<br />
'''[[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]'''<br />
<br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- Twitter Box --> <br />
<br />
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL --> <br />
[[Image:Threestarforsite.png]] <br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC12]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
====CFP====<br />
<br />
In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.<br />
<br />
The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:<br />
<br />
- OWASP Projects<br />
- Research in Application Security Defense (Defense & Countermeasures)<br />
- Research in Application Security Offense (Vulnerabilities & Exploits)<br />
- Web Application Security<br />
- Critical Infrastructure Security<br />
- Mobile Security<br />
- Government Initiatives & Government Case Studies<br />
- Effective Case studies in Policy, Governance, Architecture or Life Cycle<br />
- and other application security topics<br />
<br />
Submit papers to http://cfp.appsecdc.org. Submission deadline is January 15th 2011. Inquires can be made to cfpATappsecdcDOTorg.<br />
<br />
To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.<br />
<br />
Additional information can be found in the [[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]. <br />
<br />
==== Registration ====<br />
<br />
''' Registration is not available yet for the April 2012 Conference.''' <br> <br />
<br />
<br />
<!-- <br />
===Registration Fees===<br />
{| class="wikitable"<br />
|-<br />
! Ticket Type<br />
! Early<br />
! Regular Price<br />
! Late<br />
|-<br />
| Non-Member<br />
| $445.00<br />
| $495.00<br />
| style="background: #cef2e0;" | $545.00<br />
|-<br />
| Active OWASP Member<br />
| $395.00<br />
| $445.00<br />
| style="background: #cef2e0;" | $495.00<br />
|-<br />
| Student<br />
| $195.00<br />
| $195.00<br />
| style="background: #cef2e0;" | $245.00<br />
|}<br />
<br />
{| class="wikitable"<br />
|-<br />
! Course<br />
! Fee<br />
|-<br />
| 1 Day Training<br />
| $745 <br />
|-<br />
| 2 Day Training<br />
| $1495<br />
|}<br />
<br />
'''ATTENTION FEDERAL EMPLOYEES: Enter code ASDC11FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)<br />
<br> For student discount, attendees must present proof of enrollment when picking up your badge.<br />
--><br />
'''Group Discounts'''<br />
* 10% off for groups of 10-19<br />
* 20% off for groups of 20-29<br />
* 30% off for groups of 30 or more<br />
<br />
===Who Should Attend AppSec DC 2012=== <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interesting in Improving IT Security<br />
*Anyone interested in learning about or promoting Web Application Security<br><br />
<br><br />
<br />
==== Volunteer ====<br />
<br />
== Volunteers Needed! ==<br />
<br />
Get involved! <br />
<br />
We will take all the help we can get to pull off the best Web Application Security Conference of the year! <br />
<br />
More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.<br />
<br />
To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org]<br />
<br />
==== Schedule ====<br />
<br />
{{:OWASP AppSec DC 2012 Schedule}}<br />
<br />
==== Training ====<br />
<br />
== Training ==<br />
Call for training will open soon.<br />
<br />
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.<br />
<!--<br />
Price per attendee (conference Registration is a seperate item): <br />
* 2-Day Class $1495<br />
* 1-Day Class $745<br />
--><br />
== 2 Day Training ==<br />
<br />
TBD<br />
<br />
== 1 Day Training ==<br />
<br />
TBD<br />
<br />
==== Contests ====<br />
<br />
== OWASP Member Door Prizes! ==<br />
Are you an [[Membership|OWASP Member]]? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration! So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!<br />
<br />
This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.<br />
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.<br />
Contests consist of:<br />
<br />
TBD<br />
<br />
==== Venue ====<br />
<br />
== Walter E. Washington Convention Center ==<br />
<br />
AppSec DC 2012 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC. <br />
<br />
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]). <br />
<br />
[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]<br />
<br />
==== Hotel ====<br />
<br />
Hotel contracts are TBD<br />
<br />
==== Sponsors ====<br />
<br />
== Sponsors ==<br />
<br />
We are currently soliciting sponsors for the AppSec DC Conference. <!-- Please refer to our '''[http://www.owasp.org/images/b/bf/APPSEC_DC_2011_sponsorships_1.pdf sponsorship opportunities]''' for details. --><br />
<br />
Please contact us at [mailto:sponsors@appsecdc.org sponsors@appsecdc.org] for sponsorship opportunities.<br />
<br />
<!-- Slots are going fast so contact us to sponsor today! --><br />
<br />
==== Travel ====<br />
<br />
== Traveling to the DC Metro Area ==<br />
<br />
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab. <br />
<br />
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt. <br />
<br />
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro]. <br />
<br />
==== Conference Committee ====<br />
<br />
===Organizers=== <br />
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]<br />
<br />
* [mailto:doug.wilson@owasp.org Doug Wilson]<br />
* [mailto:mark.bristow@owasp.org Mark Bristow]<br />
<br />
===Arch-Minions=== <br />
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]<br />
<br />
* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])<br />
<br />
* Content ([mailto:content@appsecdc.org content@appsecdc.org])<br />
<br />
* Press ([mailto:press@appsecdc.org press@appsecdc.org])<br />
<br />
* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])<br />
<br />
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])<br />
<br />
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])<br />
<br />
* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])<br />
<br />
* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])<br />
<br />
====FAQ====<br />
{{:OWASP AppSec DC 2012 - FAQ}}<br />
<br />
<headertabs /> <br />
<br />
<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012_-_FAQ&diff=118776OWASP AppSec DC 2012 - FAQ2011-10-10T01:17:46Z<p>Dallendoug: updated w/ CFP Dates for 2012</p>
<hr />
<div>'''Q. What will it cost?'''<br />
<br />
A. Ticketing prices are on the main page. Prices for 2012 have not been announced yet.<br />
<br />
==Call For Papers==<br />
'''Q. What is the Open Web & Application Security Project (OWASP)?'''<br />
<br />
The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work with your support.<br />
<br />
<br />
'''Q. How many speaking slots are there?'''<br />
<br />
The schedule for AppSec DC will largely be based on the number of quality presentations we receive. While we have an outline for the conference schedule we cannot solidify it until the CFP has completed. In addition to the primary slots we will be selecting a small number of alternate presenters who will receive a free pass to the conference in return for being ready to present if there is a cancellation.<br />
<br />
<br />
'''Q. What are the submission deadlines?'''<br />
<br />
The dates for CFP are from October 11th to until January 15th. Some speaker selections may be made before the end of CFP.<br />
<br />
<br />
'''Q: Who is allowed to submit presentations?'''<br />
<br />
A: Original authors of presentations may submit presentations for consideration. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.<br />
<br />
<br />
'''Q: Why aren't Third Parties such as PR Firms allowed to submit presentations?'''<br />
<br />
A: Due to potential copyright and intellectual property liability issues as well as the need for OWASP to have direct contact with potential and selected presenters to expedite selection and deliverable materials, we require that only original authors of presentations submit for the Call for Papers. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.<br />
<br />
<br />
'''Q: How long will I have to wait before I am notified if I have been accepted or denied?'''<br />
<br />
A: Due to the overwhelming response from the community the planning committee needs more time to sift through all of the proposals that we received. We feel that it is better to give each presentation a complete review rather then meet a somewhat arbitrary deadline. Originally we promised that we would respond to speakers within 15 business days of the CFP closing. We do reserve the right to select outstanding presentations prior to the date that CFP closes.<br />
<br />
<br />
'''Q. Is there an honorarium for presenters?'''<br />
<br />
No. OWASP is committed to making its conferences available to the widest possible audience. In order to do this OWASP keeps the entrance fees as low as possible to make the conference accessible. As a result we are unable to provide a monetary honorarium but we welcome our speakers as our guests to the conference where they can network with other security professionals.<br />
<br />
<br />
'''Q: I have been accepted. What are the materials that I have to turn in and what are the deadlines?'''<br />
<br />
A: The following is a list of materials that are required from each accepted presentation. Failure to proceed these materials by the deadlines set forth for the event the presentation was accepted for will result in of acceptance.<br />
* A confirmed [[Speaker_Agreement | Speaker Agreement]] <br />
* Presentation in PowerPoint or Keynote format using the [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] <br />
* Detailed Bibliography of resources, co-authors, etc.<br />
* Optional White Paper for inclusion on CD<br />
<br />
<br />
'''Q: Do I have to submit a White Paper?'''<br />
<br />
A: No. We would certainly appreciate any White Papers that can be included on the conference CD but they are not required. If you have written an existing white paper to go along with your presentation, please submit it with your CFP submission. Submissions with attached White Papers will receive additional consideration.<br />
<br />
<br />
'''Q: What if I have a co-author who is not presenting. How do I cite the person(s)?'''<br />
<br />
A: All co-authors and works that have been used should be cited in a detailed bibliography that will be published on the Conference CD.<br />
<br />
<br />
'''Q: I have been accepted and would like to add co-presenters. Can I still do this?'''<br />
<br />
A: No. Co-presenters should have been added at the time that the Presentation was submitted. They may attend the conference and present if they pay the full conference fee.<br />
<br />
<br />
'''Q: My PR company/friends/co-workers/family would like to come see me give my presentation. Will they be allowed in for free?'''<br />
<br />
A: No. All guests of speakers must be registered and paid in full in order to receive admission to the conference.<br />
<br />
<br />
'''Q: My company wants to donate and support OWASP as a 501(3)c non-profit in exchange for resources at the Expo, what is the cost?'''<br />
<br />
A: Sponsorship information can be found [https://www.owasp.org/images/3/36/Sponsorship_Form_update_DC.pdf here].<br />
<br />
<br />
'''Q. I have more questions'''<br />
<br />
A: Email info(at)appsecdc.org concerning this event.<br />
<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=117869Washington DC2011-09-23T16:48:39Z<p>Dallendoug: updated sponsor logos and bios for secondary speakers for September</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our [https://www.regonline.com/owaspdcseptember2011 next meeting] is September 29th at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting if you plan on attending<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
Our '''[https://www.regonline.com/owaspdcseptember2011 next meeting]''' is '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
* Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''Location Info''' Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br><br><br />
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br><br><br />
:'''Krystal Moon'''<br />
<br />
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.<br />
<br />
:'''Quang Pham'''<br />
<br />
:: Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.<br />
<br><br><br />
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Recent Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br><br />
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]<br />
<br><br><br><br><br><br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br><br />
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br><br><br><br><br><br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=File:BlueCanopySponsoLogo.jpg&diff=117868File:BlueCanopySponsoLogo.jpg2011-09-23T16:42:38Z<p>Dallendoug: uploaded a new version of &quot;File:BlueCanopySponsoLogo.jpg&quot;</p>
<hr />
<div>Blue Canopy, a local DC Company, sponsoring OWASP DC Meeting</div>Dallendoughttps://wiki.owasp.org/index.php?title=File:BlueCanopySponsoLogo.jpg&diff=117867File:BlueCanopySponsoLogo.jpg2011-09-23T16:37:57Z<p>Dallendoug: Blue Canopy, a local DC Company, sponsoring OWASP DC Meeting</p>
<hr />
<div>Blue Canopy, a local DC Company, sponsoring OWASP DC Meeting</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=117866Washington DC2011-09-23T16:27:52Z<p>Dallendoug: changed sponsor for september to Blue Canopy</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our [https://www.regonline.com/owaspdcseptember2011 next meeting] is September 29th at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting if you plan on attending<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
Our '''[https://www.regonline.com/owaspdcseptember2011 next meeting]''' is '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
* Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''Location Info''' Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br />
::'''Abstract'''<br />
<br />
::'''Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br />
:'''Krystal Moon'''<br />
<br />
:'''Quang Pham'''<br />
<br />
::'''Abstract'''<br />
<br />
::'''Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: [http://http://www.bluecanopy.com/ Blue Canopy]<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=117354Washington DC2011-09-14T17:31:10Z<p>Dallendoug: updated with registration link</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our [https://www.regonline.com/owaspdcseptember2011 next meeting] is September 29th at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting if you plan on attending<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
Our '''[https://www.regonline.com/owaspdcseptember2011 next meeting]''' is '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
* Please '''[https://www.regonline.com/owaspdcseptember2011 Register]''' for the meeting. This helps us get a head count for food and beverages <br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''Location Info''' Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br />
::'''Abstract'''<br />
<br />
::'''Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br />
:'''Krystal Moon'''<br />
<br />
:'''Quang Pham'''<br />
<br />
::'''Abstract'''<br />
<br />
::'''Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} <br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=117276Washington DC2011-09-13T18:34:08Z<p>Dallendoug: updated w/ Abstract on SwA Pocket Guides</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is September 29th at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
'''Please Register for the meeting if you plan on attending''' Registration link coming soon.<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
Our next meeting is '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
* Please check back to Register. Registration is not required, but helps us get a head count for food and beverages <br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''Location Info''' Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br />
::'''Abstract'''<br />
<br />
::'''Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br />
:'''Krystal Moon'''<br />
<br />
:'''Quang Pham'''<br />
<br />
::'''Abstract'''<br />
<br />
::'''Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.<br />
<br />
:::'''Secure Coding'''<br />
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.<br />
<br />
:::'''Architecture and Design Considerations for Secure Software'''<br />
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} <br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=117271Washington DC2011-09-13T17:53:40Z<p>Dallendoug: Updating w/ info for September 2011 meeting -- no reg info yet</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is September 29th at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
'''Please Register for the meeting if you plan on attending''' Registration link coming soon.<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
Our next meeting is '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''<br />
* Please check back to Register. Registration is not required, but helps us get a head count for food and beverages <br />
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''<br />
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''<br />
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.<br />
<br />
<br />
'''Location Info''' Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''John Steven'''<br />
<br />
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?<br />
<br />
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.<br />
<br />
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
September Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} <br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115748Washington DC2011-08-15T21:20:28Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] at the Living Social office at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
'''Please [http://www.regonline.com/owaspdcaugust2011 REGISTER HERE] for the meeting if you plan on attending'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
August Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115685Washington DC2011-08-15T04:57:08Z<p>Dallendoug: commenting out reg until reg info is fixed.</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] at the Living Social office at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
<!-- '''Please [http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE] for the meeting if you plan on attending''' --><br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
<!-- * Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count. --><br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
August Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115684Washington DC2011-08-15T04:37:57Z<p>Dallendoug: updated sponsorship slot for August</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] at the Living Social office at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
'''Please [http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE] for the meeting if you plan on attending'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
August Meeting:<br><br />
<br><br />
Facility Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: <!-- Currently Open -->Living Social&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115683Washington DC2011-08-15T04:36:39Z<p>Dallendoug: updated w/ time and reg links for August Meeting</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] at the Living Social office at 6:30 PM (food) / 7 PM (talks)'''<br><br />
<br><br />
'''Please [http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE] for the meeting if you plan on attending'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.<br />
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.<br />
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br />
<br><br />
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speaker'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
August Meeting:<br><br />
<br><br />
Facility Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115564Washington DC2011-08-12T00:37:35Z<p>Dallendoug: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 24th at Living Social -- Time and Specifics coming soon'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 24th at 1445 New York Ave NW (Living Social) in Washington DC. Details to follow.<br />
<br />
* Please Register once we announce the time and date.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
<br><br />
Facility Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=115439Washington DC2011-08-10T18:58:14Z<p>Dallendoug: Update w/ prelims on August Meeting</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is August 25th at Living Social -- Time and Specifics coming soon'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''August 2011 Meeting'''<br />
<br />
Our next meeting is August 25th at Living Social in Washington DC. Details to follow.<br />
<br />
* Please Register once we announce the time and date.<br />
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Julian Cohen'''<br />
<br />
::Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.<br />
<br />
::Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''July 2011 Meeting'''<br />
<br />
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson & Mark Bristow will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br><br />
<br><br />
<br><br />
<paypal>Washington DC</paypal><br />
<br><br />
<br><br />
<br><br />
Facility Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} --><br />
<br><br />
<br><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=Washington_DC&diff=113736Washington DC2011-07-12T01:52:48Z<p>Dallendoug: updated with information for July meeting</p>
<hr />
<div>__NOTOC__<br />
<br />
==== Welcome ====<br />
<br />
Welcome to the Home Page of the Washington DC OWASP Chapter.<br />
<br />
<br />
'''Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 Map] | [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register]'''<br />
<br />
<br />
* The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.<br />
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.<br />
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]<br />
* Our recent meetings are documented on the News & Meetings tab.<br />
* You can also check out the archives of this page here [[Washington_DC Archives]].<br />
<br />
==== Meetings & Events ====<br />
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br />
<br />
<br />
'''July 2011 Meeting'''<br />
<br />
* Our next meeting will be at [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')<br />
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here] <br />
* Jack Mannino will speak on '''Building Secure Android Applications'''<br />
* Doug Wilson will update on current and upcoming events.<br />
<br />
<br />
'''NEW LOCATION''' Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room<br />
<br />
<br />
'''About our Speakers'''<br />
<br />
:'''Jack Mannino'''<br />
<br />
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.<br />
<br />
:'''Abstract'''<br />
<br />
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.<br />
<br />
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.<br />
<br />
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.<br />
<br />
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.<br />
<br />
<br />
==== Participation ====<br />
<br />
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.<br />
<br />
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br />
<br />
==== Twitter ====<br />
<!-- Twitter Box --> {|<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
==== News & Meetings ====<br />
<br />
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br />
<br />
'''March 2010 Meeting'''<br />
<br />
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)<br />
* Jeff Ennis from Veracode will be presenting on Application Risk Management<br />
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security<br />
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA<br />
* Doug Wilson will update on plans for future meetings and upcoming events.<br />
<br />
'''About our Speakers'''<br />
<br />
'''Jeff Ennis'''<br />
<br />
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin. <br />
<br />
:'''Abstract'''<br />
<br />
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.<br />
<br />
'''Dan Philpott'''<br />
<br />
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.<br />
<br />
'''Chuck Willis'''<br />
<br />
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.<br />
<br />
'''December 2009 Meeting'''<br />
<br />
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC<br />
* We will be recapping and discussing AppSecDC and the OWASP Summit<br />
* We will discuss other recent events such as the DHS Software Assurance Forum Conference<br />
* We will be talking about the coming year and upcoming events<br />
* We will open up the floor for discussion of current events or concerns.<br />
<br />
'''Addition to Agenda'''<br />
<br />
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.<br />
<br />
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.<br />
<br />
'''September 2009 Meeting'''<br />
<br />
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.<br />
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.<br />
<br />
<br />
'''XAB -- The Abstract:'''<br />
<br />
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.<br />
<br />
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.<br />
<br />
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.<br />
<br />
<br />
'''About our speakers:'''<br />
<br />
'''Matthew Flick, Principal'''<br />
'''FYRM Associates'''<br />
<br />
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.<br />
<br />
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.<br />
<br />
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.<br />
<br />
<br />
'''Jeff Yestrumskas'''<br />
'''Sr. Manager InfoSec @ Cvent'''<br />
<br />
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.<br />
<br />
<br />
<br />
'''August 2009 Meeting'''<br />
<br />
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]<br />
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World<br />
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.<br />
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]<br />
<br />
About our speakers:<br />
<br />
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.<br />
<br />
:'''Vulnerability Management in an Application Security World'''<br />
<br />
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.<br />
<br />
<br />
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.<br />
<br />
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.<br />
<br />
<br />
'''April Meeting Debrief'''<br />
<br />
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.<br />
<br />
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.<br />
<br />
We'd also like to thank:<br />
* George Washington University and their great staff for the meeting space and A/V support<br />
* Securicon and Mark Bristow for arranging refreshements.<br />
<br />
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!<br />
<br />
<br />
'''April 22nd 6:30 PM OWASP Meeting, Washington DC<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].<br />
<br />
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote><br />
<br />
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote><br />
<br />
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote><br />
<br />
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote><br />
<br />
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.<br />
<br />
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.<br />
<br />
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street. <br />
<br />
<br />
<br />
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at The George Washington University in downtown DC.<br />
<br />
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]<br />
<br />
This month's agenda:<br />
<br />
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow<br />
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett<br />
* 7:45 - 8:00 Break<br />
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra<br />
<br />
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008<br />
<br />
<br />
''Note on Transportation and Parking''<br />
<br />
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center<br />
<br />
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.<br />
<br />
<br />
'''December Meeting Debrief'''<br />
<br />
I'd like to take this opportunity to once again thank Kevin for coming<br />
out to talk to us at the meeting Wednesday. I thought his<br />
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly<br />
demonstrated some of the great up and coming tools that are available<br />
to the community. As promised, I uploaded the PDF of the presentation<br />
to the Wiki, but the slides don't do the commentary justice. It can<br />
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].<br />
<br />
We also took care of some housekeeping stuff:<br />
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.<br />
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!<br />
* Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here] <br />
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].<br />
<br />
To those who attended the meeting on Wednesday, thanks for coming out,<br />
we had a great turnout and I hope to have even more attendees next<br />
time. For those who were unable to attend, I hope to see you all at<br />
our next meeting.<br />
<br />
<br />
'''December 10th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Presentation by Kevin Johnson, InGuardians<br />
* Round table Discussion of Portugal Summit<br />
* Open discussion<br />
<br />
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.<br />
<br />
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.<br />
<br />
You can RSVP to the event on Upcoming.org:<br />
http://upcoming.yahoo.com/event/1334575<br />
<br />
<br />
'''October 15th 6:30pm OWASP Meeting, Washington DC'''<br />
<br />
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).<br />
<br />
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.<br />
<br />
This month's agenda is as follows:<br />
<br />
* Adam Vincent, Hacking and Hardening Web Services<br />
* Doug Wilson, Report on AppSec NYC 2008<br />
* Open discussion<br />
<br />
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.<br />
<br />
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.<br />
<br />
<br />
<br />
==== History ====<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.<br />
<br />
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.<br />
<br />
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.<br />
<br />
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.<br />
<br />
<br />
<headertabs /> <br />
<br />
<paypal>Washington DC</paypal><br />
<br />
Facility Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Washington, DC]]<br />
[[Category:Maryland]]</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012&diff=113152OWASP AppSec DC 20122011-06-28T18:15:45Z<p>Dallendoug: updated logo to old logo until new one can be found.</p>
<hr />
<div>__NOTOC__ <br />
<br />
{{:OWASP AppSec DC 2012 Header}}<br />
<br />
====Welcome==== <br />
<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2012 conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. <br />
<br />
AppSecDC 2012 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on April 2nd through 5th 2012. <br />
<br />
'''Who Should Attend AppSec DC:''' <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interested in Improving IT Security<br><br />
<br />
'''[[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]'''<br />
<br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- Twitter Box --> <br />
<br />
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL --> <br />
[[Image:Threestarforsite.png]] <br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC12]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
==== Registration ====<br />
<br />
Registration is currently '''<span style="color:#f00">CLOSED</span>'''.<br><br />
<!-- <br />
===Registration Fees===<br />
{| class="wikitable"<br />
|-<br />
! Ticket Type<br />
! Early<br />
! Regular Price<br />
! Late<br />
|-<br />
| Non-Member<br />
| $445.00<br />
| $495.00<br />
| style="background: #cef2e0;" | $545.00<br />
|-<br />
| Active OWASP Member<br />
| $395.00<br />
| $445.00<br />
| style="background: #cef2e0;" | $495.00<br />
|-<br />
| Student<br />
| $195.00<br />
| $195.00<br />
| style="background: #cef2e0;" | $245.00<br />
|}<br />
<br />
{| class="wikitable"<br />
|-<br />
! Course<br />
! Fee<br />
|-<br />
| 1 Day Training<br />
| $745 <br />
|-<br />
| 2 Day Training<br />
| $1495<br />
|}<br />
<br />
'''ATTENTION FEDERAL EMPLOYEES: Enter code ASDC11FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)<br />
<br> For student discount, attendees must present proof of enrollment when picking up your badge.<br />
--><br />
===Who Should Attend AppSec DC 2012=== <br />
<br />
*Application Developers <br />
*Application Testers and Quality Assurance <br />
*Application Project Management and Staff <br />
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff <br />
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance <br />
*Security Managers and Staff <br />
*Executives, Managers, and Staff Responsible for IT Security Governance <br />
*IT Professionals Interesting in Improving IT Security<br />
*Anyone interested in learning about or promoting Web Application Security<br><br />
<br><br />
<br />
==== Volunteer ====<br />
<br />
== Volunteers Needed! ==<br />
<br />
Get involved! <br />
<br />
We will take all the help we can get to pull off the best Web Application Security Conference of the year! <br />
<br />
More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.<br />
<br />
To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org]<br />
<br />
==== Schedule ====<br />
<br />
{{:OWASP AppSec DC 2012 Schedule}}<br />
<br />
==== Training ====<br />
<br />
== Training ==<br />
Call for training will open soon.<br />
<br />
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.<br />
<!--<br />
Price per attendee (conference Registration is a seperate item): <br />
* 2-Day Class $1495<br />
* 1-Day Class $745<br />
--><br />
== 2 Day Training ==<br />
<br />
TBD<br />
<br />
== 1 Day Training ==<br />
<br />
TBD<br />
<br />
==== Contests ====<br />
<br />
== OWASP Member Door Prizes! ==<br />
Are you an [[Membership|OWASP Member]]? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration! So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!<br />
<br />
This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.<br />
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.<br />
Contests consist of:<br />
<br />
TBD<br />
<br />
==== Venue ====<br />
<br />
== Walter E. Washington Convention Center ==<br />
<br />
AppSec DC 2012 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC. <br />
<br />
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]). <br />
<br />
[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]<br />
<br />
==== Hotel ====<br />
<br />
Hotel contracts are TBD<br />
<br />
==== Sponsors ====<br />
<br />
== Sponsors ==<br />
<br />
We are currently soliciting sponsors for the AppSec DC Conference. <!-- Please refer to our '''[http://www.owasp.org/images/b/bf/APPSEC_DC_2011_sponsorships_1.pdf sponsorship opportunities]''' for details. --><br />
<br />
Please contact us at [mailto:sponsors@appsecdc.org sponsors@appsecdc.org] for sponsorship opportunities.<br />
<br />
<!-- Slots are going fast so contact us to sponsor today! --><br />
<br />
==== Travel ====<br />
<br />
== Traveling to the DC Metro Area ==<br />
<br />
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab. <br />
<br />
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt. <br />
<br />
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro]. <br />
<br />
==== Conference Committee ====<br />
<br />
===Organizers=== <br />
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]<br />
<br />
* [mailto:doug.wilson@owasp.org Doug Wilson]<br />
* [mailto:mark.bristow@owasp.org Mark Bristow]<br />
<br />
===Arch-Minions=== <br />
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]<br />
<br />
* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])<br />
<br />
* Content ([mailto:content@appsecdc.org content@appsecdc.org])<br />
<br />
* Press ([mailto:press@appsecdc.org press@appsecdc.org])<br />
<br />
* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])<br />
<br />
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])<br />
<br />
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])<br />
<br />
* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])<br />
<br />
* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])<br />
<br />
====FAQ====<br />
{{:OWASP AppSec DC 2012 - FAQ}}<br />
<br />
<headertabs /> <br />
<br />
<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Dallendoughttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012_Header&diff=113151OWASP AppSec DC 2012 Header2011-06-28T18:07:15Z<p>Dallendoug: commenting out banner until a new one can be created.</p>
<hr />
<div><!-- [[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
Registration | Hotel | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br> --> <!-- Header --><br />
<br></div>Dallendoug