https://wiki.owasp.org/api.php?action=feedcontributions&user=HelenG&feedformat=atomOWASP - User contributions [en]2024-03-29T02:03:58ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=197792User:Helen Gao2015-07-23T01:27:27Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. She is a Certified Information Systems Security Professional, CISSP, since 2006. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a Sr. Software Architect of TIBCO Software. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 6 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=197535User:Helen Gao2015-07-16T22:48:55Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. She is a Certified Information Systems Security Professional, CISSP, since 2006. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently Sr. Software Architect of TIBCO Software. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 6 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=197534User:Helen Gao2015-07-16T22:48:28Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. She is a Certified Information Systems Security Professional, CISSP. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently Sr. Software Architect of TIBCO Software. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 6 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=197389Long Island2015-07-13T13:13:44Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
'''Our chapter is a proud organizer and sponsor of [http://nymjcsc.org/agenda.htm New York Metro Joint Cyber Security Conference, NYMJCSC 2015]. Submit your speaking proposal online before August 6, 2015.'''<br />
<br />
== '''Next Meetings''' ==<br />
<br><br />
All present & future meetings are posted on [[File:Owasp_meetup_logo_1.png|link=http://www.meetup.com/OWASP-Long-Island-Meetup/]].<br />
<br><br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Sponsors, Topics and Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed, or if you want to sponsor a future meeting, please contact please contact a [mailto:longislandleaders@owasp.org Long Island Board Member]<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Past Meetings=<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219671551/ RSVP Requested]''' <br />
<br />
The meeting is free. Food and drink will be provided by our chapter supporter, Secure Decision.<br />
<br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<br />
* Charles Beganskas<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=196396Long Island2015-06-19T23:39:25Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
'''Our chapter is a proud organizer and sponsor of [http://nymjcsc.org New York Metro Joint Cyber Security Conference, NYMJCSC 2015]'''<br />
<br />
== '''Next Meetings''' ==<br />
<br><br />
All present & future meetings are posted on [[File:Owasp_meetup_logo_1.png|link=http://www.meetup.com/OWASP-Long-Island-Meetup/]].<br />
<br><br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Sponsors, Topics and Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed, or if you want to sponsor a future meeting, please contact please contact a [mailto:longislandleaders@owasp.org Long Island Board Member]<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Past Meetings=<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219671551/ RSVP Requested]''' <br />
<br />
The meeting is free. Food and drink will be provided by our chapter supporter, Secure Decision.<br />
<br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<br />
* Charles Beganskas<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=190325User:Helen Gao2015-02-26T12:26:37Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently Sr. Software Architect of TIBCO Software. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=189775Long Island2015-02-16T21:19:42Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br><br />
All present & future meetings are posted on [http://www.meetup.com/OWASP-Long-Island-Meetup/ OWASP Long Island] Meetup.com.<br />
<br><br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Sponsors, Topics and Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed, or if you want to sponsor a future meeting, please contact please contact a [mailto:longislandleaders@owasp.org Long Island Board Member]<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Past Meetings=<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219671551/ RSVP Requested]''' <br />
<br />
The meeting is free. Food and drink will be provided by our chapter supporter, Secure Decision.<br />
<br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<br />
* Charles Beganskas<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=189774Long Island2015-02-16T21:13:04Z<p>HelenG: /* News and Chapter Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br><br />
<br><br />
<br><br />
<br />
All present & future meetings are posted on [http://www.meetup.com/OWASP-Long-Island-Meetup/ OWASP Long Island] Meetup.com.<br />
<br><br />
<br><br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Sponsors, Topics and Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed, or if you want to sponsor a future meeting, please contact please contact a [mailto:longislandleaders@owasp.org Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Past Meetings=<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219671551/ RSVP Requested]''' <br />
<br />
The meeting is free. Food and drink will be provided by our chapter supporter, Secure Decision.<br />
<br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<br />
* Charles Beganskas<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=187558Long Island2015-01-05T16:49:57Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219158992/ RSVP Requested]''' <br />
The meeting is free. Food and drink will be provided by our chapter supporter, Secure Decision.<br />
<br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
=Past Meetings=<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=187557Long Island2015-01-05T16:41:54Z<p>HelenG: /* January 2015 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Thursday, January 22, 2015 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Huntington LaunchPad, 315 Main Street, 2nd Fl, Huntington, NY.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/219158992/ RSVP Requested]''' <br />
* '''Aliens in Your Apps! Are You Using Components with Known Vulnerabilities?'''<br />
<br />
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Thus the OWASP A9 guideline – Don’t Use Components with Known Vulnerabilities. <br />
<br />
Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. Explore the technical realities of why is has been so hard to fully eradicate vulnerable open source components. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry–wide study on open source development and application security. Among the surprising results…<br />
<br />
1-in-3 organizations had or suspected an open source breach in the last 12 months<br />
Only 16% of participants must prove they are not using components with known vulnerabilities<br />
64% don’t track changes in open source vulnerability data<br />
<br />
Join Brian for what is sure to be an engaging and insightful assessment of these trends with practical approaches to solving the problem today.<br />
<br />
* '''About the Speaker:'''<br />
:Brian Fox is VP of Product Management at Sonatype, with extensive open source experience as a member of the Apache Software Foundation for the past 7 years and former Chair of the Apache Maven project. Brian has provided significant development contributions to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian holds a Bachelor of Science degree in Computer Science from Daniel Webster College.<br />
<br><br />
<br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
=Past Meetings=<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=China-Mainland&diff=187367China-Mainland2014-12-29T15:30:19Z<p>HelenG: /* OWASP中国负责人 */</p>
<hr />
<div>[[Image:OWASP China logo.jpg]] <br />
<br />
{{Chapter Template|chaptername=China-Mainland|extra=The chapter leader is [mailto:rip@owasp.org Rip Torn]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland|emailarchives=https://lists.owasp.org/pipermail/owasp-china-mainland}} <br />
<br />
== [http://www.owasp.org.cn '''OWASP中国网站'''] ==<br />
OWASP中国最新信息,请查看OWASP中国网站: http://www.owasp.org.cn<br />
<br />
== '''OWASP中国研究小组''' ==<br />
<br />
为了更好的促进OWASP中国各区域的沙龙、活动能够持续、稳定的进行,OWASP中国特成立的各区域小组,主要为了促进小范围内的交流和分享。同时,也非常欢迎大家自荐成为自己所在区域的负责人。OWASP中国项目研究组以目前OWASP的开源项目为基础,深入研究各类应用安全技术,并输出相关中文资料、培训文档、安全工具等。同时,也会不定期的在各区域的活动上做相关培训。详细信息请查看OWASP中国网站:http://www.owasp.org.cn <br />
<br />
'''OWASP中国项目研究组''' <br />
<br />
#'''OWASP Top 10''' <br />
#'''OWASP Testing Guide''' <br />
#'''OWASP WebGoat''' <br />
#'''OWASP WebScarab''' <br />
#'''应用安全评估'''<br />
#'''Code Review Guide''<br />
#'''Development Guide'''<br />
#'''OWASP OpenSAMM'''<br />
#'''移动应用安全检测基准'''<br />
#'''WAF测评基准'''<br />
#'''Web扫描器测评基准'''<br />
<br />
'''[http://www.owasp.org/index.php/OWASP_Chinese_Project OWASP中国项目]''' <br />
<br />
#OWASP Top 10项目 [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf '''download'''] <br />
#OWASP TEST GUIDE 中文版'''[http://www.owasp.org/images/0/06/OWASP%E6%B5%8B%E8%AF%95%E6%8C%87%E5%8D%97%28%E4%B8%AD%E6%96%87%EF%BC%89.pdf download]''' <br />
#OWASP SAMM '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/owasp-samm/samm/owasp-samm download]''' <br />
#OWASP Cloud ‐ 10 Project '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/Cloud_10/cloud_10 download]''' <br />
#WAF测试基准 <br />
#Webscan验证平台 <br />
#OWASP AntiSamy Java项目 '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/OWASP_AntiSamy_Java/owasp-antisamy-java download]'''<br />
#OWASP AntiSamy .NET项目 '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/OWASP_AntiSamy_.NET/owasp-antisamy.net download]'''<br />
#OWASP Enterprise Security API (ESAPI)项目 <br />
#OWASP Live CD项目<br />
<br />
== '''OWASP中国负责人''' ==<br />
<br />
'''OWASP中国区域负责人''' <br />
<br />
'''President''': [mailto:rip@owasp.org Rip Torn] <br />
<br />
'''Vice President''': Frank Fan <br />
<br />
'''Secretary''': [mailto:Ivy@owasp.org.cn Ivy Zhang]<br />
<br />
'''北京:''' Chen Liang, Bi Ning,Chen Xinlong<br />
<br />
'''山东:''' McFord<br />
<br />
'''上海:''' Wang Wenjun<br />
<br />
'''杭州:''' Tony, Yuan Mingkun, Wu Hanqing<br />
<br />
'''武汉:''' Zhang Yan<br />
<br />
'''成都:''' Wangjie<br />
<br />
'''OWASP 中国海外区域负责人''' <br />
<br />
#'''北美''' [mailto:helen.gao@owasp.org Helen Gao 高雯]<br />
<br />
== '''赞助OWASP组织(NEW)''' ==<br />
<br />
为了更好的服务于客户以及支持OWASP项目的持续研究,我们将非常欢迎您参与并赞助OWASP中国! <br />
<br />
'''个人会员''' <br />
<br />
成为个人赞助者有如下要求: <br />
<br />
#免费参与OWASP中国举办的各种会议 <br />
#参与OWASP中国培训享有会员折扣 <br />
#获得owasp中国专属邮箱 <br />
<br />
'''会议赞助''' 赞助OWASP各类会议, <br />
<br />
#提交公司logo到OWASP中国网站(150px X 45px at 72dpi or 55px X 80px at 72dpi的GIF,JPG或PNG文件) <br />
#在OWASP中国会会议中推广应用安全产品和服务 <br />
#参与OWASP中国项目研究 <br />
<br />
<br>'''企业赞助''' 支持OWASP各项目和补助金活动,获得OWASP会议展示产品和服务的折扣 <br />
<br />
#免费获得30天OWASP中国首页展示浮动banner的机会 <br />
#在OWASP中国网站展示logo(150px X 45px at 72dpi or 55px X 80px at 72dpi的GIF,JPG或PNG文件) <br />
#在OWASP中国邮件列表中列为赞助者。 <br />
#OWASP中国峰会或OWASP合作举办的会议可以享受折扣。 <br />
#可以申请在当地举办OWASP地区会议 <br />
<br />
以上具体请联系:[maillto:Ivy@owasp.org.cn Ivy Zhang]<br />
<br />
<br />
== '''技术分享''' ==<br />
<br />
#警惕网络群注风暴的逼近:当龙卷风或者特大暴风雪来临之际, 往往显得特别宁静. 希望这个不会应验到国内的网站上。因为在过去的几个月内国外已经连续发生两次的网站群注风暴. 总共有十几万个网站在短短几天内被无情摧残, 更重要的是, 所有访问这些网站的无辜网民也成了最终的受害者. 各类盗号木马百花齐放.【[https://www.owasp.org/images/5/5f/%E8%AD%A6%E6%83%95%E7%BD%91%E7%BB%9C%E7%BE%A4%E6%B3%A8%E9%A3%8E%E6%9A%B4%E7%9A%84%E9%80%BC%E8%BF%91.doc 资源下载]】 <br />
#Pangolin是一款Windows平台下的自动化SQL注入渗透测试工具,感谢Vincent Chao提供OWASP中国分会专用版Pangolin.[https://www.owasp.org/images/0/0f/Pangolin_owasp.zip Pangolin工具下载],[https://www.owasp.org/images/b/bd/%E5%9F%BA%E6%9C%AC%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C.doc 基本使用手册]<br />
<br />
== '''会员专享区''' ==<br />
<br />
<font color="#ff0000">大家可以免费加入OWASP中国分会,会员可享有:</font><br />
<br />
#应用安全技术交流邀请函 <br />
#商业web、DB安全软件体验版 <br />
#国内外最新的安全技术资料<br />
<br />
== '''加入OWASP中国分会''' ==<br />
<br />
'''对OWASP中国分会会员可以完全开放分会的所有安全资源(安全工具、安全资料等)''' <br />
<br />
'''可以优先获得各种安全技术交流邀请函''' <br />
<br />
加入分会前,请您仔细阅读[https://www.owasp.org/index.php/Chapter_Rules 分会会员守则],申请会员加入,请将如下信息邮件发送给[mailto:member@owasp.org.cn 会长]。 <br />
<br />
#邮件标题:OWASP中国会员注册(姓名) <br />
#姓名: <br />
#单位: <br />
#职位: <br />
#电子邮件: <br />
#联系电话: <br />
#个人研究方向: <br />
#愿意参与研究领域:<br />
<br />
<font color="#ff0000"></font><br />
<br />
<br />
<br />
[[Category:China]]</div>HelenGhttps://wiki.owasp.org/index.php?title=China-Mainland&diff=187366China-Mainland2014-12-29T15:30:00Z<p>HelenG: /* OWASP中国负责人 */</p>
<hr />
<div>[[Image:OWASP China logo.jpg]] <br />
<br />
{{Chapter Template|chaptername=China-Mainland|extra=The chapter leader is [mailto:rip@owasp.org Rip Torn]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-China-Mainland|emailarchives=https://lists.owasp.org/pipermail/owasp-china-mainland}} <br />
<br />
== [http://www.owasp.org.cn '''OWASP中国网站'''] ==<br />
OWASP中国最新信息,请查看OWASP中国网站: http://www.owasp.org.cn<br />
<br />
== '''OWASP中国研究小组''' ==<br />
<br />
为了更好的促进OWASP中国各区域的沙龙、活动能够持续、稳定的进行,OWASP中国特成立的各区域小组,主要为了促进小范围内的交流和分享。同时,也非常欢迎大家自荐成为自己所在区域的负责人。OWASP中国项目研究组以目前OWASP的开源项目为基础,深入研究各类应用安全技术,并输出相关中文资料、培训文档、安全工具等。同时,也会不定期的在各区域的活动上做相关培训。详细信息请查看OWASP中国网站:http://www.owasp.org.cn <br />
<br />
'''OWASP中国项目研究组''' <br />
<br />
#'''OWASP Top 10''' <br />
#'''OWASP Testing Guide''' <br />
#'''OWASP WebGoat''' <br />
#'''OWASP WebScarab''' <br />
#'''应用安全评估'''<br />
#'''Code Review Guide''<br />
#'''Development Guide'''<br />
#'''OWASP OpenSAMM'''<br />
#'''移动应用安全检测基准'''<br />
#'''WAF测评基准'''<br />
#'''Web扫描器测评基准'''<br />
<br />
'''[http://www.owasp.org/index.php/OWASP_Chinese_Project OWASP中国项目]''' <br />
<br />
#OWASP Top 10项目 [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf '''download'''] <br />
#OWASP TEST GUIDE 中文版'''[http://www.owasp.org/images/0/06/OWASP%E6%B5%8B%E8%AF%95%E6%8C%87%E5%8D%97%28%E4%B8%AD%E6%96%87%EF%BC%89.pdf download]''' <br />
#OWASP SAMM '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/owasp-samm/samm/owasp-samm download]''' <br />
#OWASP Cloud ‐ 10 Project '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/Cloud_10/cloud_10 download]''' <br />
#WAF测试基准 <br />
#Webscan验证平台 <br />
#OWASP AntiSamy Java项目 '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/OWASP_AntiSamy_Java/owasp-antisamy-java download]'''<br />
#OWASP AntiSamy .NET项目 '''[http://www.owasp.org.cn/owasp-project/Finished_Projects/OWASP_AntiSamy_.NET/owasp-antisamy.net download]'''<br />
#OWASP Enterprise Security API (ESAPI)项目 <br />
#OWASP Live CD项目<br />
<br />
== '''OWASP中国负责人''' ==<br />
<br />
'''OWASP中国区域负责人''' <br />
<br />
'''President''': [mailto:rip@owasp.org Rip Torn] <br />
<br />
'''Vice President''': Frank Fan <br />
<br />
'''Secretary''': [mailto:Ivy@owasp.org.cn Ivy Zhang]<br />
<br />
'''北京:''' Chen Liang, Bi Ning,Chen Xinlong<br />
<br />
'''山东:''' McFord<br />
<br />
'''上海:''' Wang Wenjun<br />
<br />
'''杭州:''' Tony, Yuan Mingkun, Wu Hanqing<br />
<br />
'''武汉:''' Zhang Yan<br />
<br />
'''成都:''' Wangjie<br />
<br />
'''OWASP中国海外区域负责人''' <br />
<br />
#'''北美''' [mailto:helen.gao@owasp.org Helen Gao 高雯]<br />
<br />
== '''赞助OWASP组织(NEW)''' ==<br />
<br />
为了更好的服务于客户以及支持OWASP项目的持续研究,我们将非常欢迎您参与并赞助OWASP中国! <br />
<br />
'''个人会员''' <br />
<br />
成为个人赞助者有如下要求: <br />
<br />
#免费参与OWASP中国举办的各种会议 <br />
#参与OWASP中国培训享有会员折扣 <br />
#获得owasp中国专属邮箱 <br />
<br />
'''会议赞助''' 赞助OWASP各类会议, <br />
<br />
#提交公司logo到OWASP中国网站(150px X 45px at 72dpi or 55px X 80px at 72dpi的GIF,JPG或PNG文件) <br />
#在OWASP中国会会议中推广应用安全产品和服务 <br />
#参与OWASP中国项目研究 <br />
<br />
<br>'''企业赞助''' 支持OWASP各项目和补助金活动,获得OWASP会议展示产品和服务的折扣 <br />
<br />
#免费获得30天OWASP中国首页展示浮动banner的机会 <br />
#在OWASP中国网站展示logo(150px X 45px at 72dpi or 55px X 80px at 72dpi的GIF,JPG或PNG文件) <br />
#在OWASP中国邮件列表中列为赞助者。 <br />
#OWASP中国峰会或OWASP合作举办的会议可以享受折扣。 <br />
#可以申请在当地举办OWASP地区会议 <br />
<br />
以上具体请联系:[maillto:Ivy@owasp.org.cn Ivy Zhang]<br />
<br />
<br />
== '''技术分享''' ==<br />
<br />
#警惕网络群注风暴的逼近:当龙卷风或者特大暴风雪来临之际, 往往显得特别宁静. 希望这个不会应验到国内的网站上。因为在过去的几个月内国外已经连续发生两次的网站群注风暴. 总共有十几万个网站在短短几天内被无情摧残, 更重要的是, 所有访问这些网站的无辜网民也成了最终的受害者. 各类盗号木马百花齐放.【[https://www.owasp.org/images/5/5f/%E8%AD%A6%E6%83%95%E7%BD%91%E7%BB%9C%E7%BE%A4%E6%B3%A8%E9%A3%8E%E6%9A%B4%E7%9A%84%E9%80%BC%E8%BF%91.doc 资源下载]】 <br />
#Pangolin是一款Windows平台下的自动化SQL注入渗透测试工具,感谢Vincent Chao提供OWASP中国分会专用版Pangolin.[https://www.owasp.org/images/0/0f/Pangolin_owasp.zip Pangolin工具下载],[https://www.owasp.org/images/b/bd/%E5%9F%BA%E6%9C%AC%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C.doc 基本使用手册]<br />
<br />
== '''会员专享区''' ==<br />
<br />
<font color="#ff0000">大家可以免费加入OWASP中国分会,会员可享有:</font><br />
<br />
#应用安全技术交流邀请函 <br />
#商业web、DB安全软件体验版 <br />
#国内外最新的安全技术资料<br />
<br />
== '''加入OWASP中国分会''' ==<br />
<br />
'''对OWASP中国分会会员可以完全开放分会的所有安全资源(安全工具、安全资料等)''' <br />
<br />
'''可以优先获得各种安全技术交流邀请函''' <br />
<br />
加入分会前,请您仔细阅读[https://www.owasp.org/index.php/Chapter_Rules 分会会员守则],申请会员加入,请将如下信息邮件发送给[mailto:member@owasp.org.cn 会长]。 <br />
<br />
#邮件标题:OWASP中国会员注册(姓名) <br />
#姓名: <br />
#单位: <br />
#职位: <br />
#电子邮件: <br />
#联系电话: <br />
#个人研究方向: <br />
#愿意参与研究领域:<br />
<br />
<font color="#ff0000"></font><br />
<br />
<br />
<br />
[[Category:China]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183860Long Island2014-10-17T20:14:10Z<p>HelenG: /* Upcoming Meetings Schedule */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''[http://adelphi.adobeconnect.com The stream will be available. Enter as a guest.]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br />
* '''Directions:'''<br />
:Once you are on campus, please proceed to the Training Room in the Lower Level of New Hall A. The Nassau Boulevard LIRR train station is within walking distance. For travelers arriving early a shuttle bus will depart the train station at 5:45PM and bring you to campus. Parking is available, but it may take a little while to find a good spot. Parking field 7 is your best shot. [http://about.adelphi.edu/campus-locations/visit/directions/ Direction to campus] [http://map.adelphi.edu/ An interactive campus map].<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183744Long Island2014-10-15T21:18:32Z<p>HelenG: /* October 2014 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''[http://adelphi.adobeconnect.com The stream will be available. Enter as a guest.]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br />
* '''Directions:'''<br />
:Once you are on campus, please proceed to the Training Room in the Lower Level of New Hall A. The Nassau Boulevard LIRR train station is within walking distance. For travelers arriving early a shuttle bus will depart the train station at 5:45PM and bring you to campus. Parking is available, but it may take a little while to find a good spot. Parking field 7 is your best shot. [http://about.adelphi.edu/campus-locations/visit/directions/ Direction to campus] [http://map.adelphi.edu/ An interactive campus map].<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183714Long Island2014-10-15T14:49:24Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br />
* '''Directions:'''<br />
:Once you are on campus, please proceed to the Training Room in the Lower Level of New Hall A. The Nassau Boulevard LIRR train station is within walking distance. For travelers arriving early a shuttle bus will depart the train station at 5:45PM and bring you to campus. Parking is available, but it may take a little while to find a good spot. Parking field 7 is your best shot. [http://about.adelphi.edu/campus-locations/visit/directions/ Direction to campus] [http://map.adelphi.edu/ An interactive campus map].<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183713Long Island2014-10-15T14:47:19Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics: Android Wear and Google Glass:'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br />
* '''Directions:'''<br />
:Once you are on campus, please proceed to the Training Room in the Lower Level of New Hall A. The Nassau Boulevard LIRR train station is within walking distance. For travelers arriving early a shuttle bus will depart the train station at 5:45PM and bring you to campus. Parking is available, but it may take a little while to find a good spot. Parking field 7 is your best shot. [http://about.adelphi.edu/campus-locations/visit/directions/ Direction to campus] [http://map.adelphi.edu/ An interactive campus map].<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183712Long Island2014-10-15T14:46:33Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University 1 South Avenue, Garden City, NY 11530. Direction details are below.<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics:''' Android Wear and Google Glass<br />
* '''Android Wear and Google Glass Abstract:'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br />
* '''Directions:'''<br />
:Once you are on campus, please proceed to the Training Room in the Lower Level of New Hall A. The Nassau Boulevard LIRR train station is within walking distance. For travelers arriving early a shuttle bus will depart the train station at 5:45PM and bring you to campus. Parking is available, but it may take a little while to find a good spot. Parking field 7 is your best shot. [http://about.adelphi.edu/campus-locations/visit/directions/ Direction to campus] [http://map.adelphi.edu/ An interactive campus map].<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=183711Long Island2014-10-15T14:37:07Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/198775852/ RSVP Requested]''' <br />
* '''Topics:''' Android Wear and Google Glass<br />
* '''Android Wear and Google Glass Abstract:'''<br />
:Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179777User:Helen Gao2014-08-01T21:16:04Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently Sr. Software Architect of TIBCO Software. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179774User:Helen Gao2014-08-01T21:11:21Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect in TIBCO Software Inc. She designs and develops complex software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179773User:Helen Gao2014-08-01T21:10:06Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect in TIBCO Software Inc. Her job duties include designing and developing software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179772User:Helen Gao2014-08-01T21:09:47Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect of TIBCO Software Inc. Her job duties include designing and developing software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179771User:Helen Gao2014-08-01T21:09:00Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing software that transfers confidential data. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=179767Long Island2014-08-01T20:48:14Z<p>HelenG: /* August 2014 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested]<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=179766Long Island2014-08-01T20:46:53Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' Adelphi University - Hauppauge Center 55 Kennedy Drive Hauppauge, NY 11788<br />
* '''Topics:''' OWASP / SWAMP(Software Assurance Market Place) <br />
* '''[http://www.meetup.com/OWASP-Long-Island-Meetup/events/196329372/ RSVP requested].<br />
* '''OWASP / SWAMP Abstract:'''<br />
:You may have heard the recent announcement of a strategic partnership between OWASP and the DHS-sponsored Software Assurance Marketplace (SWAMP). The SWAMP is an evolving national resource for software assurance, and a partnership between them and OWASP will be valuable to both organizations. You can learn about this growing relationship at https://www.owasp.org/index.php/SWAMP_OWASP. <br />
:Secure Decisions, a division of Applied Visions, is a local research and development firm with strong ties to the DHS Science and Technology directorate, and has direct involvement in the SWAMP. Ken Prole, Hassan Radwan, and Anita D’Amico will be presenting an overview of the SWAMP, including its architecture, its history, and a brief demonstration of its capabilities. Come prepared for a lively discussion on the value and challenges of the SWAMP and how those impact OWASP and the larger application security community.<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179309User:Helen Gao2014-07-25T21:30:11Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=179224User:Helen Gao2014-07-23T17:04:23Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=176273Long Island2014-06-02T17:27:16Z<p>HelenG: /* June 2014 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Compliance<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=176272Long Island2014-06-02T17:25:20Z<p>HelenG: /* June 2014 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
===''' June 2014 '''===<br />
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Register:''' RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]<br />
* '''Topics:''' Heartbleed<br />
* '''Heartbleed Abstract:'''<br />
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. <br />
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br><br />
:Resources for the discussion:<br />
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br><br />
:Other External Resources:<br />
::[http://heartbleed.com/ http://heartbleed.com/]<br />
* '''About the Speaker:'''<br />
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.<br />
<br />
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others. <br />
<br />
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]<br />
<br><br />
<br />
''Free dinner and drinks will be provided.''<br />
<br><br />
----<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center><br />
<br />
=Upcoming Meetings Schedule=<br />
''The information on this page is subject to change, please check back frequently for updates''<br />
<br />
===''' August 2014 '''===<br />
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Compliance<br />
<br />
===''' October 2014 '''===<br />
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' OWASP Dependency Checking / Sonatype<br />
<br />
===''' January 2015 '''===<br />
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' March 2015 '''===<br />
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' Mobile application<br />
<br />
===''' May 2015 '''===<br />
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' July 2015 '''===<br />
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' Septmeber 2015 '''===<br />
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
===''' November 2015 '''===<br />
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)<br />
* '''Topics:''' TBA<br />
<br />
<br />
=Past Meetings=<br />
==''' April 2014 '''==<br />
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.<br />
* '''Abstract:'''<br />
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
:A simple dinner will be provided.<br />
<br><br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<br><br />
==''' April 2013 '''==<br />
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
* '''Topics:''' RailsGoat & GoatDroid<br />
<br />
* '''RailsGoat Abstract:'''<br />
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
* '''About the Speaker:'''<br />
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br><br />
----<br />
<br><br />
* '''GoatDroid Abstract:'''<br />
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br><br />
==''' December 2012 '''==<br />
<br />
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
* '''Topics:''' Thread Modeling<br />
* '''About the Speaker:'''<br />
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2012 '''==<br />
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi<br />
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming<br />
* '''Abstract:''' <br />
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
* '''About the Speaker:'''<br />
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.<br />
* '''Meeting Replay Video:''' http://www.youtube.com/watch?v=r12yiXnagbY&sns=em<br />
<br />
<br><br />
==''' May 2012 '''==<br />
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security<br />
* '''Abstract:''' <br />
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
::Topics:<br />
:::*Mobile Application Security<br />
:::*OWASP GoatDroid<br />
:::*OWASP MobiSec<br />
* '''About the Speaker:'''<br />
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br />
<br><br />
==''' February 2012 '''==<br />
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)<br />
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.<br />
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.<br />
* '''Abstract:''' <br />
:Topics:<br />
::*Overview of BackTrack<br />
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
* '''About the Speaker:'''<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br><br />
==''' September 2011 '''==<br />
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)<br />
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000<br />
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan<br />
* '''Abstract:''' <br />
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
* '''About the Speaker:'''<br />
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br><br />
-----<br />
<br><br />
* '''Abstract:''' <br />
:Topics:<br />
::*Recent Attack on Infraguard Website.<br />
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
::*LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
* '''About the Speaker:'''<br />
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br><br />
==''' May 2011 '''== <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.<br />
<br />
<br><br />
==''' March 2011 '''==<br />
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)<br />
* '''Location:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753<br />
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro<br />
* '''Abstract:''' <br />
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
* '''About the Speaker:'''<br />
:Rajendra Umadas, OWASP Member<br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.<br />
<br />
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
*'''About the Speaker:'''<br />
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br><br />
----<br />
<br><br />
*'''Abstract:''' <br />
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
*'''About the Speaker:'''<br />
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.<br />
<br />
<br />
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.<br />
<br />
<br />
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=173886Long Island2014-04-29T19:35:17Z<p>HelenG: /* December 2012 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014 @ 7:00PM<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' April 2013 '''==<br />
<ul><br />
* April 25, 2013 from 6:30 PM to 9:30 PM (EDT)<br />
* Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
</ul><br />
<br />
*Ken's Abstract<br />
<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
About the Speaker:<br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
*Jack's Abstract:<br />
<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
About the Speaker:<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
==''' December 2012 '''==<br />
<ul><br />
* 12/13/2012 Time: 6:30pm - 9:00<br />
* Location: Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
</ul><br />
<br />
<ul><br />
* Topic - Thread Modeling<br />
* About the Speaker - Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
</ul><br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=173885Long Island2014-04-29T19:31:09Z<p>HelenG: /* September Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014 @ 7:00PM<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' April 2013 '''==<br />
<ul><br />
* April 25, 2013 from 6:30 PM to 9:30 PM (EDT)<br />
* Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
</ul><br />
<br />
*Ken's Abstract<br />
<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
About the Speaker:<br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
*Jack's Abstract:<br />
<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
About the Speaker:<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
==''' December 2012 '''==<br />
<ul><br />
* 12/13/2012 Time: 6:30pm - 9:00<br />
* Location: Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University<br />
</ul><br />
<br />
* About the Speaker - Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA. <br />
<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=173884Long Island2014-04-29T19:30:30Z<p>HelenG: /* April 2013 */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014 @ 7:00PM<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' April 2013 '''==<br />
<ul><br />
* April 25, 2013 from 6:30 PM to 9:30 PM (EDT)<br />
* Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
</ul><br />
<br />
*Ken's Abstract<br />
<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
About the Speaker:<br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
*Jack's Abstract:<br />
<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
About the Speaker:<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=173883Long Island2014-04-29T19:27:20Z<p>HelenG: /* September Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014 @ 7:00PM<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' April 2013 '''==<br />
<ul><br />
* April 25, 2013 from 6:30 PM to 9:30 PM (EDT)<br />
* Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530<br />
</ul><br />
<br />
<br />
*Ken's Abstract<br />
<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
About the Speaker:<br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
*Jack's Abstract:<br />
<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
About the Speaker:<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=173250Long Island2014-04-22T21:52:10Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=172998Long Island2014-04-18T01:28:52Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Women_In_AppSec&diff=164550Women In AppSec2013-12-11T21:51:57Z<p>HelenG: /* PAST WINNERS */</p>
<hr />
<div>=WELCOME=<br />
==Women in Application Security Program==<br />
<br />
The purpose of the Women in AppSec Program is to increase the participation of women in the field of application security. The program was successfully launched in 2011 at AppSec USA, and the aim is to run the program at every OWASP Global AppSec in 2014. The Women in AppSec program is for female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development. Applicants are encouraged to submit their details to the program running in conjunction with the conference nearest to their area of residence. <br />
<br />
Regional conferences are encouraged to host the Women in AppSec program, as well. You will find detailed planning instructions here, and you can find templates used in previous years to help you get started with program organization. We encourage you to read this page in full, and reach out to Samantha Groves (Samantha.Groves@owasp.org) if you have any questions on how to successfully run the program at your event. <br />
<br />
<br />
{|<br />
|-<br />
! width="400" align="left" | <br />
! width="400" align="left" | <br />
|-<br />
| align="left" | [[Image:Owasp_summit.jpg|left|250px]] <br/><br />
| align="left" | [[Image:WIAS01.JPG|left|300px]] <br />
| align="left" | [[Image:IMG_5579.JPG|left|325px]] <br />
<br />
|}<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
==Links==<br />
*[https://www.isc2.org/PressReleaseDetails.aspx?id=11240 (ISC)²® Report Reveals Women's Perspective and Skills are Transforming the Information Security Industry October 29, 2013]. <br />
<br />
=ABOUT THE PROGRAM=<br />
==Women in AppSec==<br />
[[Image:IMG_5746.JPG|right|400x160px]]<br />
<br />
The OWASP Foundation, in recognition of value to both organizations and society, is working to support and enhance programs that increase the participation of women in the field of information and application security. The OWASP Foundation Women in AppSec Program provides merit-based funding for women to attend participating OWASP AppSec conferences. OWASP’s current program objective is to encourage female students at both the undergraduate and graduate levels, instructors, and professional working women who are dedicated to a career in information security and/or application development, to expand their skills and pursue application security. Interested applicants are encouraged to apply to the program running within their region of residence. <br />
<br />
<br />
<br />
<br />
== Past Eligibility Criteria==<br />
<br />
Below is the list of eligibility criteria used to select the winners in 2013. <br />
<br />
* Has provided 2 responsive contacts as reference, and both references are familiar with the candidate, application security, and OWASP.<br />
* Both references have provided letters of recommendation.<br />
* Has relevant/appropriate achievement goals for attending the conference.<br />
* Is the applicant from the region that the conference is taking place in.<br />
* Has background in volunteering for OWASP or similar organizations.<br />
* Has participated in one of OWASP's programs or activities?<br />
* Is either studying, wishing to study, working in AppSec, or interested in working in AppSec.<br />
* Has financial need.<br />
* Is a paid OWASP member, and/or employer/school is an OWASP sponsor.<br />
* Has an interest in exploring application security<br />
<br />
We encourage you to create your own set of criteria that will fit the Women In AppSec that you are planning within your region. The criteria above is meant to be a guideline of what has been used in the past. <br />
<br />
==Winners==<br />
<br />
In the past, we have typically had two winners selected for the sponsorship award; however, the number of winners depends on how much you can afford to sponsor. We recommend that you raise $3000 USD for each winner, at least. In the past, we have given each winner a free conference pass, one free training, and free travel and accommodation to attend the event. <br />
<br />
<!-- <br />
=GLOBAL CONFERENCES=<br />
==Global AppSec Conferences==<br />
<br />
[[Image:Appsec_APAC.jpg|right|x375px]] <br />
OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in software security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific. Additionally, regional events are held in locations such as Brazil, China, India, Ireland, Israel, and Washington D.C just to name a few. The aim of the foundation is to bring the Women in AppSec Program to each of the four global conference taking place in 2014.<br />
<br />
==AppSec APAC==<br />
<br />
The AppSec APAC global conference takes place in the Asian-Pacific region. This conference is a reunion of local software security leaders, and aims to present cutting-edge ideas to attendees. OWASP events attract a worldwide audience interested in “what’s next”, and this global conference is no different. The conference is expected to draw 200-250 technologists each year from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many more. Women from the Asia-Pacific region are encouraged to apply to the program taking place during AppSec APAC. <br />
<br />
==AppSec EU==<br />
<br />
The AppSec EU global conference take place in the European region. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers, travel to hear the cutting-edge ideas presented by the software security industry's top talent. This conference is expected to draw 400-500 attendees each year from various regions within the Europe and beyond. Women from the European region are encouraged to apply to the program taking place during AppSec EU Research <br />
<br />
==AppSec Latam==<br />
<br />
The AppSec LATAM global conference takes place in the Latin American region. AppSec LATAM is a reunion of Latin American, software security leaders, providing a platform to discuss, participate in, and innovate within the software security industry. The conference is expected to draw 200-250 attendees from the Latin American region and beyond. Women in the Latin American region are encouraged to apply to the program taking place during AppSec LATAM. <br />
<br />
==AppSec USA==<br />
<br />
The AppSec USA global conference takes place in the North American region. AppSec USA is a world-class software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices. This conference is expected to draw over 300 attendees within the North American region. AppSec USA is typically OWASP's biggest conference of the year so women are encouraged to apply to the program taking place during AppSec USA if they live or will be traveling from within North America.<br />
--><br />
<br />
=PLANNING=<br />
==Pre-Conference==<br />
<br />
The majority of the planning involved in running the Women in AppSec Program occurs before the conference or regional event. Below, you will find a brief outline of the tasks your team will have to take on. <br />
<br />
====Planning & Selection Team====<br />
<br />
The first step you will need to take care of is the selection of your planning and selection team. These are the individuals that will be helping you manage the pre-event planning process and the selection of the candidates. You will typically need a team of 5-6 people. The selection committee will then be broken down into several sub-teams of one to two people who will then work on sponsorship, marketing, the grading process, and the call for entries. <br />
<br />
==== Sub-Team Roles ====<br />
<br />
'''Sponsorship'''<br />
<br />
Two people should be responsible for developing the materials and seeking out sponsorships for the program. They will be in charge of creating the sponsorship packages, flyers, and seeking out sponsorship from other chapters and organizations.<br />
<br />
'''Marketing'''<br />
<br />
At least two people should be responsible for marketing the event. Their job will consist of putting together press releases, keeping the event planners updated on progress, and <br />
communicating progress to the overall community. They will also be responsible for getting the message out when the team is ready to start accepting applicants. <br />
<br />
'''Grading Proces'''<br />
<br />
While everyone on the committee will be involved in grading, one person will be in charge of the grading process. They will create spreadsheets similar to those originally created for the selection committee, and for making sure everyone has what they need for the grading process. This team will also be responsible for making sure the grading is complete on schedule, and that the announcement of the winners is made before the event. <br />
<br />
'''Call for Entries'''<br />
<br />
Finally, one to two people will be in charge of the call for entries. Depending on the amount of entries, this might work better with two people as it requires collecting entries, arranging them, and sorting them out to the other graders. The call for entries team is responsible for making the forms, and for developing at least the first draft of the selection criteria. <br />
<br />
====Award Details====<br />
<br />
This is the fun bit. You and your team will need to decide on the details of the awards. This involves making decisions such as if the winners will be provided travel and accommodation, or free training and conference attendance. Typically, we have covered both travel and accommodation for the two winners as well as one training class. We also provided the winners with a free conference pass; however, the award you choose to sponsor depends on the funds you are able to raise. It is also dependent on what your team decides is the best award package to give away based on your resources. <br />
<br />
====Budget====<br />
As mentioned above, it is up to your team to decide what it is you wish to award each winner. I recommend raising at least $6,000 USD to cover the expenses for each winner if you are going to cover travel and accommodation as well as conference passes and a free training class. <br />
<br />
====Sponsorship====<br />
It is very important to start reaching out to the overall OWASP community and their corporate contacts as potential sponsorship leads. Develop a Sponsorship Strategy and put together a sponsorship flyer outlining the program, what you are seeking, and the benefits of sponsorship. Give incentive for sponsorship and details about the program to get potential sponsors interested. Make sure to include the successes of past Women in AppSec conference events. Once you have your materials and sponsorship packages sorted, you can get started with sponsorship seeking activities. Below you will find an example of the Women in AppSec 2013 sponsorship flyer we sent out to potential sponsors. <br />
<br />
[http://appsecusa.org/2013/wp-content/uploads/2013/06/women-in-appsec-sponsorship.pdf Sample of 2013 Sponsorship Flyer]<br />
<br />
====Application Process====<br />
You will need to start developing the application process while the sponsorship activities are going on. Make sure to develop the application timeline with deadlines for each stage. Deadlines are critically important, and there has to be a cut off point. Create a deadline for when submissions should be in, for when letters of recommendation should be received, the timeline for the grading process, the date the top 5 will be selected, and the date the final winners will be selected and announced. You will also need to develop a set of selection criteria that the team will use to grade all of the applicants against. Be specific on the criteria you are looking for in candidates. Especially note that only women in the region that the conference is being held can submitted for consideration. After you have all of these details sorted out, you will need to start the Call for Entries. Make sure create an online form where applicants can submit their details to the team. <br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1iZDNogemeAoHBnrfn2dVe212Bct4ZJiXeVNj3j5JsWg/edit Sample Selection Criteria]<br />
<br />
====Selection Process====<br />
<br />
The selection of the winners can be a very lengthy process especially if you have received more than 30 applicants. In the past, the grading has been split between each program team member. Each member will be randomly allocated a handful of applicants which they will grade using the pre-determined selection criteria. Once the grading is complete, you can make the final selection on candidates and announce the winners as a team. <br />
<br />
After the winners have been selected and announced, the team will need to help the winners arrange travel, accommodations, and event logistics. Upon their arrival at the conference center, insure they are taken care of by an OWASP volunteer, someone who will get them settled and that they make it to panels and trainings without issue. The bigger the conference, the more important it is to make sure the winners are not lost in the crowd. <br />
<br />
==Post-Conference==<br />
<br />
After the conference, it is very important to gather feedback from the winners to make sure they enjoyed the experience. Ask the winners for a brief description about their experience, with a picture attached for the website. Then write up a review and lessons learned page to document the experience with the program. Make sure to include what can be improved upon in the future. <br />
<br />
=ON THE DAY=<br />
==Training Days==<br />
Prior to the conference, the winners will arrive during the training workshops. Upon their arrival an OWASP volunteer will be around to greet them and take them to the trainings. This is to ensure that the winners are taken care of, and that they feel welcome and comfortable. The two training days prior to the conference should give the winners a chance to get to know local chapter volunteers and early attendees. Winners are encouraged to attend trainings that interest them and to mingle with fellow trainees. If there is a welcome event, winners should be encouraged to attend as well.<br />
<br />
==Conference Days==<br />
During the two days of the conference an OWASP volunteer will be available to show the winners around, introduce them to staff members, and get them acquainted with conference goers. The volunteer will also be responsible for getting the winners to the Women in AppSec scheduled activities, if any are planned. The volunteers should be made available if the winners have any questions or need help with anything. It is important that the winners get the full OWASP AppSec experience. This includes attending sessions of interests and encouraging winners to participate in the various activities provided at the Global AppSecs. <br />
<br />
=PAST WINNERS=<br />
==Previous Women in AppSec Winners==<br />
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words. <br />
<br />
==Carrie Schaper, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]<br />
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."<br />
|}<br />
<br><br />
<br />
==Nancy Lornston, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]<br />
| align="justify" |Nancy Lorntson is the Security Program Manager at Infinite Campus, the largest American-owned Student Information System, managing 6 million students in 43 states. Previously, Nancy was a school district Information Services Manager and part-time trainer for Guidance Software. In her current role, Nancy is responsible for all things security at Infinite Campus, working between the application development organization and the support, network, business operations, and hosting teams to implement, grow and improve a world class security program.<br />
|}<br />
<br><br />
<br />
==Tara Wilson, 2011 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Tara wilson.jpg|100px]]<br />
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.” <br />
|}<br />
<br><br />
<br />
==Chandni Bhowmik, 2011 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:|100px]]<br />
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm. <br />
|}<br />
<br><br />
<br />
=CONTACT=<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
<br />
<headertabs /></div>HelenGhttps://wiki.owasp.org/index.php?title=Women_In_AppSec&diff=164547Women In AppSec2013-12-11T21:10:30Z<p>HelenG: /* PAST WINNERS */</p>
<hr />
<div>=WELCOME=<br />
==Women in Application Security Program==<br />
<br />
The purpose of the Women in AppSec Program is to increase the participation of women in the field of application security. The program was successfully launched in 2011 at AppSec USA, and the aim is to run the program at every OWASP Global AppSec in 2014. The Women in AppSec program is for female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development. Applicants are encouraged to submit their details to the program running in conjunction with the conference nearest to their area of residence. <br />
<br />
Regional conferences are encouraged to host the Women in AppSec program, as well. You will find detailed planning instructions here, and you can find templates used in previous years to help you get started with program organization. We encourage you to read this page in full, and reach out to Samantha Groves (Samantha.Groves@owasp.org) if you have any questions on how to successfully run the program at your event. <br />
<br />
<br />
{|<br />
|-<br />
! width="400" align="left" | <br />
! width="400" align="left" | <br />
|-<br />
| align="left" | [[Image:Owasp_summit.jpg|left|250px]] <br/><br />
| align="left" | [[Image:WIAS01.JPG|left|300px]] <br />
| align="left" | [[Image:IMG_5579.JPG|left|325px]] <br />
<br />
|}<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
==Links==<br />
*[https://www.isc2.org/PressReleaseDetails.aspx?id=11240 (ISC)²® Report Reveals Women's Perspective and Skills are Transforming the Information Security Industry October 29, 2013]. <br />
<br />
=ABOUT THE PROGRAM=<br />
==Women in AppSec==<br />
[[Image:IMG_5746.JPG|right|400x160px]]<br />
<br />
The OWASP Foundation, in recognition of value to both organizations and society, is working to support and enhance programs that increase the participation of women in the field of information and application security. The OWASP Foundation Women in AppSec Program provides merit-based funding for women to attend participating OWASP AppSec conferences. OWASP’s current program objective is to encourage female students at both the undergraduate and graduate levels, instructors, and professional working women who are dedicated to a career in information security and/or application development, to expand their skills and pursue application security. Interested applicants are encouraged to apply to the program running within their region of residence. <br />
<br />
<br />
<br />
<br />
== Past Eligibility Criteria==<br />
<br />
Below is the list of eligibility criteria used to select the winners in 2013. <br />
<br />
* Has provided 2 responsive contacts as reference, and both references are familiar with the candidate, application security, and OWASP.<br />
* Both references have provided letters of recommendation.<br />
* Has relevant/appropriate achievement goals for attending the conference.<br />
* Is the applicant from the region that the conference is taking place in.<br />
* Has background in volunteering for OWASP or similar organizations.<br />
* Has participated in one of OWASP's programs or activities?<br />
* Is either studying, wishing to study, working in AppSec, or interested in working in AppSec.<br />
* Has financial need.<br />
* Is a paid OWASP member, and/or employer/school is an OWASP sponsor.<br />
* Has an interest in exploring application security<br />
<br />
We encourage you to create your own set of criteria that will fit the Women In AppSec that you are planning within your region. The criteria above is meant to be a guideline of what has been used in the past. <br />
<br />
==Winners==<br />
<br />
In the past, we have typically had two winners selected for the sponsorship award; however, the number of winners depends on how much you can afford to sponsor. We recommend that you raise $3000 USD for each winner, at least. In the past, we have given each winner a free conference pass, one free training, and free travel and accommodation to attend the event. <br />
<br />
<!-- <br />
=GLOBAL CONFERENCES=<br />
==Global AppSec Conferences==<br />
<br />
[[Image:Appsec_APAC.jpg|right|x375px]] <br />
OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in software security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific. Additionally, regional events are held in locations such as Brazil, China, India, Ireland, Israel, and Washington D.C just to name a few. The aim of the foundation is to bring the Women in AppSec Program to each of the four global conference taking place in 2014.<br />
<br />
==AppSec APAC==<br />
<br />
The AppSec APAC global conference takes place in the Asian-Pacific region. This conference is a reunion of local software security leaders, and aims to present cutting-edge ideas to attendees. OWASP events attract a worldwide audience interested in “what’s next”, and this global conference is no different. The conference is expected to draw 200-250 technologists each year from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many more. Women from the Asia-Pacific region are encouraged to apply to the program taking place during AppSec APAC. <br />
<br />
==AppSec EU==<br />
<br />
The AppSec EU global conference take place in the European region. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers, travel to hear the cutting-edge ideas presented by the software security industry's top talent. This conference is expected to draw 400-500 attendees each year from various regions within the Europe and beyond. Women from the European region are encouraged to apply to the program taking place during AppSec EU Research <br />
<br />
==AppSec Latam==<br />
<br />
The AppSec LATAM global conference takes place in the Latin American region. AppSec LATAM is a reunion of Latin American, software security leaders, providing a platform to discuss, participate in, and innovate within the software security industry. The conference is expected to draw 200-250 attendees from the Latin American region and beyond. Women in the Latin American region are encouraged to apply to the program taking place during AppSec LATAM. <br />
<br />
==AppSec USA==<br />
<br />
The AppSec USA global conference takes place in the North American region. AppSec USA is a world-class software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices. This conference is expected to draw over 300 attendees within the North American region. AppSec USA is typically OWASP's biggest conference of the year so women are encouraged to apply to the program taking place during AppSec USA if they live or will be traveling from within North America.<br />
--><br />
<br />
=PLANNING=<br />
==Pre-Conference==<br />
<br />
The majority of the planning involved in running the Women in AppSec Program occurs before the conference or regional event. Below, you will find a brief outline of the tasks your team will have to take on. <br />
<br />
====Planning & Selection Team====<br />
<br />
The first step you will need to take care of is the selection of your planning and selection team. These are the individuals that will be helping you manage the pre-event planning process and the selection of the candidates. You will typically need a team of 5-6 people. The selection committee will then be broken down into several sub-teams of one to two people who will then work on sponsorship, marketing, the grading process, and the call for entries. <br />
<br />
==== Sub-Team Roles ====<br />
<br />
'''Sponsorship'''<br />
<br />
Two people should be responsible for developing the materials and seeking out sponsorships for the program. They will be in charge of creating the sponsorship packages, flyers, and seeking out sponsorship from other chapters and organizations.<br />
<br />
'''Marketing'''<br />
<br />
At least two people should be responsible for marketing the event. Their job will consist of putting together press releases, keeping the event planners updated on progress, and <br />
communicating progress to the overall community. They will also be responsible for getting the message out when the team is ready to start accepting applicants. <br />
<br />
'''Grading Proces'''<br />
<br />
While everyone on the committee will be involved in grading, one person will be in charge of the grading process. They will create spreadsheets similar to those originally created for the selection committee, and for making sure everyone has what they need for the grading process. This team will also be responsible for making sure the grading is complete on schedule, and that the announcement of the winners is made before the event. <br />
<br />
'''Call for Entries'''<br />
<br />
Finally, one to two people will be in charge of the call for entries. Depending on the amount of entries, this might work better with two people as it requires collecting entries, arranging them, and sorting them out to the other graders. The call for entries team is responsible for making the forms, and for developing at least the first draft of the selection criteria. <br />
<br />
====Award Details====<br />
<br />
This is the fun bit. You and your team will need to decide on the details of the awards. This involves making decisions such as if the winners will be provided travel and accommodation, or free training and conference attendance. Typically, we have covered both travel and accommodation for the two winners as well as one training class. We also provided the winners with a free conference pass; however, the award you choose to sponsor depends on the funds you are able to raise. It is also dependent on what your team decides is the best award package to give away based on your resources. <br />
<br />
====Budget====<br />
As mentioned above, it is up to your team to decide what it is you wish to award each winner. I recommend raising at least $6,000 USD to cover the expenses for each winner if you are going to cover travel and accommodation as well as conference passes and a free training class. <br />
<br />
====Sponsorship====<br />
It is very important to start reaching out to the overall OWASP community and their corporate contacts as potential sponsorship leads. Develop a Sponsorship Strategy and put together a sponsorship flyer outlining the program, what you are seeking, and the benefits of sponsorship. Give incentive for sponsorship and details about the program to get potential sponsors interested. Make sure to include the successes of past Women in AppSec conference events. Once you have your materials and sponsorship packages sorted, you can get started with sponsorship seeking activities. Below you will find an example of the Women in AppSec 2013 sponsorship flyer we sent out to potential sponsors. <br />
<br />
[http://appsecusa.org/2013/wp-content/uploads/2013/06/women-in-appsec-sponsorship.pdf Sample of 2013 Sponsorship Flyer]<br />
<br />
====Application Process====<br />
You will need to start developing the application process while the sponsorship activities are going on. Make sure to develop the application timeline with deadlines for each stage. Deadlines are critically important, and there has to be a cut off point. Create a deadline for when submissions should be in, for when letters of recommendation should be received, the timeline for the grading process, the date the top 5 will be selected, and the date the final winners will be selected and announced. You will also need to develop a set of selection criteria that the team will use to grade all of the applicants against. Be specific on the criteria you are looking for in candidates. Especially note that only women in the region that the conference is being held can submitted for consideration. After you have all of these details sorted out, you will need to start the Call for Entries. Make sure create an online form where applicants can submit their details to the team. <br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1iZDNogemeAoHBnrfn2dVe212Bct4ZJiXeVNj3j5JsWg/edit Sample Selection Criteria]<br />
<br />
====Selection Process====<br />
<br />
The selection of the winners can be a very lengthy process especially if you have received more than 30 applicants. In the past, the grading has been split between each program team member. Each member will be randomly allocated a handful of applicants which they will grade using the pre-determined selection criteria. Once the grading is complete, you can make the final selection on candidates and announce the winners as a team. <br />
<br />
After the winners have been selected and announced, the team will need to help the winners arrange travel, accommodations, and event logistics. Upon their arrival at the conference center, insure they are taken care of by an OWASP volunteer, someone who will get them settled and that they make it to panels and trainings without issue. The bigger the conference, the more important it is to make sure the winners are not lost in the crowd. <br />
<br />
==Post-Conference==<br />
<br />
After the conference, it is very important to gather feedback from the winners to make sure they enjoyed the experience. Ask the winners for a brief description about their experience, with a picture attached for the website. Then write up a review and lessons learned page to document the experience with the program. Make sure to include what can be improved upon in the future. <br />
<br />
=ON THE DAY=<br />
==Training Days==<br />
Prior to the conference, the winners will arrive during the training workshops. Upon their arrival an OWASP volunteer will be around to greet them and take them to the trainings. This is to ensure that the winners are taken care of, and that they feel welcome and comfortable. The two training days prior to the conference should give the winners a chance to get to know local chapter volunteers and early attendees. Winners are encouraged to attend trainings that interest them and to mingle with fellow trainees. If there is a welcome event, winners should be encouraged to attend as well.<br />
<br />
==Conference Days==<br />
During the two days of the conference an OWASP volunteer will be available to show the winners around, introduce them to staff members, and get them acquainted with conference goers. The volunteer will also be responsible for getting the winners to the Women in AppSec scheduled activities, if any are planned. The volunteers should be made available if the winners have any questions or need help with anything. It is important that the winners get the full OWASP AppSec experience. This includes attending sessions of interests and encouraging winners to participate in the various activities provided at the Global AppSecs. <br />
<br />
=PAST WINNERS=<br />
==Previous Women in AppSec Winners==<br />
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words. <br />
<br />
==Carrie Schaper, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]<br />
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."<br />
|}<br />
<br><br />
<br />
==Nancy Lornston, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]<br />
| align="justify" |Nancy Lorntson is the Security Program Manager at Infinite Campus, the largest American-owned Student Information System, managing 6 million students in 43 states. Previously, Nancy was a school district Information Services Manager and part-time trainer for Guidance Software. In her current role, Nancy is responsible for all things security at Infinite Campus, working between the application development organization and the support, network, business operations, and hosting teams to implement, grow and improve a world class security program.<br />
|}<br />
<br><br />
<br />
==Tara Wilson, 2011 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Tara wilson.jpg|100px]]<br />
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.” <br />
|}<br />
<br />
==Chandni Bhowmik, 2011 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:|100px]]<br />
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm. <br />
|}<br />
<br><br />
<br />
=CONTACT=<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
<br />
<headertabs /></div>HelenGhttps://wiki.owasp.org/index.php?title=Women_In_AppSec&diff=164519Women In AppSec2013-12-11T00:11:40Z<p>HelenG: </p>
<hr />
<div>=WELCOME=<br />
==Women in Application Security Program==<br />
<br />
The purpose of the Women in AppSec Program is to increase the participation of women in the field of application security. The program was successfully launched in 2011 at AppSec USA, and the aim is to run the program at every OWASP Global AppSec in 2014. The Women in AppSec program is for female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development. Applicants are encouraged to submit their details to the program running in conjunction with the conference nearest to their area of residence. <br />
<br />
Regional conferences are encouraged to host the Women in AppSec program, as well. You will find detailed planning instructions here, and you can find templates used in previous years to help you get started with program organization. We encourage you to read this page in full, and reach out to Samantha Groves (Samantha.Groves@owasp.org) if you have any questions on how to successfully run the program at your event. <br />
<br />
<br />
{|<br />
|-<br />
! width="400" align="left" | <br />
! width="400" align="left" | <br />
|-<br />
| align="left" | [[Image:Owasp_summit.jpg|left|250px]] <br/><br />
| align="left" | [[Image:WIAS01.JPG|left|300px]] <br />
| align="left" | [[Image:IMG_5579.JPG|left|325px]] <br />
<br />
|}<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
==Links==<br />
*[https://www.isc2.org/PressReleaseDetails.aspx?id=11240 (ISC)²® Report Reveals Women's Perspective and Skills are Transforming the Information Security Industry October 29, 2013]. <br />
<br />
=ABOUT THE PROGRAM=<br />
==Women in AppSec==<br />
[[Image:IMG_5746.JPG|right|400x160px]]<br />
<br />
The OWASP Foundation, in recognition of value to both organizations and society, is working to support and enhance programs that increase the participation of women in the field of information and application security. The OWASP Foundation Women in AppSec Program provides merit-based funding for women to attend participating OWASP AppSec conferences. OWASP’s current program objective is to encourage female students at both the undergraduate and graduate levels, instructors, and professional working women who are dedicated to a career in information security and/or application development, to expand their skills and pursue application security. Interested applicants are encouraged to apply to the program running within their region of residence. <br />
<br />
<br />
<br />
<br />
== Past Eligibility Criteria==<br />
<br />
Below is the list of eligibility criteria used to select the winners in 2013. <br />
<br />
* Has provided 2 responsive contacts as reference, and both references are familiar with the candidate, application security, and OWASP.<br />
* Both references have provided letters of recommendation.<br />
* Has relevant/appropriate achievement goals for attending the conference.<br />
* Is the applicant from the region that the conference is taking place in.<br />
* Has background in volunteering for OWASP or similar organizations.<br />
* Has participated in one of OWASP's programs or activities?<br />
* Is either studying, wishing to study, working in AppSec, or interested in working in AppSec.<br />
* Has financial need.<br />
* Is a paid OWASP member, and/or employer/school is an OWASP sponsor.<br />
* Has an interest in exploring application security<br />
<br />
We encourage you to create your own set of criteria that will fit the Women In AppSec that you are planning within your region. The criteria above is meant to be a guideline of what has been used in the past. <br />
<br />
==Winners==<br />
<br />
In the past, we have typically had two winners selected for the sponsorship award; however, the number of winners depends on how much you can afford to sponsor. We recommend that you raise $3000 USD for each winner, at least. In the past, we have given each winner a free conference pass, one free training, and free travel and accommodation to attend the event. <br />
<br />
<!-- <br />
=GLOBAL CONFERENCES=<br />
==Global AppSec Conferences==<br />
<br />
[[Image:Appsec_APAC.jpg|right|x375px]] <br />
OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in software security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific. Additionally, regional events are held in locations such as Brazil, China, India, Ireland, Israel, and Washington D.C just to name a few. The aim of the foundation is to bring the Women in AppSec Program to each of the four global conference taking place in 2014.<br />
<br />
==AppSec APAC==<br />
<br />
The AppSec APAC global conference takes place in the Asian-Pacific region. This conference is a reunion of local software security leaders, and aims to present cutting-edge ideas to attendees. OWASP events attract a worldwide audience interested in “what’s next”, and this global conference is no different. The conference is expected to draw 200-250 technologists each year from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many more. Women from the Asia-Pacific region are encouraged to apply to the program taking place during AppSec APAC. <br />
<br />
==AppSec EU==<br />
<br />
The AppSec EU global conference take place in the European region. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers, travel to hear the cutting-edge ideas presented by the software security industry's top talent. This conference is expected to draw 400-500 attendees each year from various regions within the Europe and beyond. Women from the European region are encouraged to apply to the program taking place during AppSec EU Research <br />
<br />
==AppSec Latam==<br />
<br />
The AppSec LATAM global conference takes place in the Latin American region. AppSec LATAM is a reunion of Latin American, software security leaders, providing a platform to discuss, participate in, and innovate within the software security industry. The conference is expected to draw 200-250 attendees from the Latin American region and beyond. Women in the Latin American region are encouraged to apply to the program taking place during AppSec LATAM. <br />
<br />
==AppSec USA==<br />
<br />
The AppSec USA global conference takes place in the North American region. AppSec USA is a world-class software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices. This conference is expected to draw over 300 attendees within the North American region. AppSec USA is typically OWASP's biggest conference of the year so women are encouraged to apply to the program taking place during AppSec USA if they live or will be traveling from within North America.<br />
--><br />
<br />
=PLANNING=<br />
==Pre-Conference==<br />
<br />
The majority of the planning involved in running the Women in AppSec Program occurs before the conference or regional event. Below, you will find a brief outline of the tasks your team will have to take on. <br />
<br />
====Planning & Selection Team====<br />
<br />
The first step you will need to take care of is the selection of your planning and selection team. These are the individuals that will be helping you manage the pre-event planning process and the selection of the candidates. You will typically need a team of 5-6 people. The selection committee will then be broken down into several sub-teams of one to two people who will then work on sponsorship, marketing, the grading process, and the call for entries. <br />
<br />
==== Sub-Team Roles ====<br />
<br />
'''Sponsorship'''<br />
<br />
Two people should be responsible for developing the materials and seeking out sponsorships for the program. They will be in charge of creating the sponsorship packages, flyers, and seeking out sponsorship from other chapters and organizations.<br />
<br />
'''Marketing'''<br />
<br />
At least two people should be responsible for marketing the event. Their job will consist of putting together press releases, keeping the event planners updated on progress, and <br />
communicating progress to the overall community. They will also be responsible for getting the message out when the team is ready to start accepting applicants. <br />
<br />
'''Grading Proces'''<br />
<br />
While everyone on the committee will be involved in grading, one person will be in charge of the grading process. They will create spreadsheets similar to those originally created for the selection committee, and for making sure everyone has what they need for the grading process. This team will also be responsible for making sure the grading is complete on schedule, and that the announcement of the winners is made before the event. <br />
<br />
'''Call for Entries'''<br />
<br />
Finally, one to two people will be in charge of the call for entries. Depending on the amount of entries, this might work better with two people as it requires collecting entries, arranging them, and sorting them out to the other graders. The call for entries team is responsible for making the forms, and for developing at least the first draft of the selection criteria. <br />
<br />
====Award Details====<br />
<br />
This is the fun bit. You and your team will need to decide on the details of the awards. This involves making decisions such as if the winners will be provided travel and accommodation, or free training and conference attendance. Typically, we have covered both travel and accommodation for the two winners as well as one training class. We also provided the winners with a free conference pass; however, the award you choose to sponsor depends on the funds you are able to raise. It is also dependent on what your team decides is the best award package to give away based on your resources. <br />
<br />
====Budget====<br />
As mentioned above, it is up to your team to decide what it is you wish to award each winner. I recommend raising at least $6,000 USD to cover the expenses for each winner if you are going to cover travel and accommodation as well as conference passes and a free training class. <br />
<br />
====Sponsorship====<br />
It is very important to start reaching out to the overall OWASP community and their corporate contacts as potential sponsorship leads. Develop a Sponsorship Strategy and put together a sponsorship flyer outlining the program, what you are seeking, and the benefits of sponsorship. Give incentive for sponsorship and details about the program to get potential sponsors interested. Make sure to include the successes of past Women in AppSec conference events. Once you have your materials and sponsorship packages sorted, you can get started with sponsorship seeking activities. Below you will find an example of the Women in AppSec 2013 sponsorship flyer we sent out to potential sponsors. <br />
<br />
[http://appsecusa.org/2013/wp-content/uploads/2013/06/women-in-appsec-sponsorship.pdf Sample of 2013 Sponsorship Flyer]<br />
<br />
====Application Process====<br />
You will need to start developing the application process while the sponsorship activities are going on. Make sure to develop the application timeline with deadlines for each stage. Deadlines are critically important, and there has to be a cut off point. Create a deadline for when submissions should be in, for when letters of recommendation should be received, the timeline for the grading process, the date the top 5 will be selected, and the date the final winners will be selected and announced. You will also need to develop a set of selection criteria that the team will use to grade all of the applicants against. Be specific on the criteria you are looking for in candidates. Especially note that only women in the region that the conference is being held can submitted for consideration. After you have all of these details sorted out, you will need to start the Call for Entries. Make sure create an online form where applicants can submit their details to the team. <br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1iZDNogemeAoHBnrfn2dVe212Bct4ZJiXeVNj3j5JsWg/edit Sample Selection Criteria]<br />
<br />
====Selection Process====<br />
<br />
The selection of the winners can be a very lengthy process especially if you have received more than 30 applicants. In the past, the grading has been split between each program team member. Each member will be randomly allocated a handful of applicants which they will grade using the pre-determined selection criteria. Once the grading is complete, you can make the final selection on candidates and announce the winners as a team. <br />
<br />
After the winners have been selected and announced, the team will need to help the winners arrange travel, accommodations, and event logistics. Upon their arrival at the conference center, insure they are taken care of by an OWASP volunteer, someone who will get them settled and that they make it to panels and trainings without issue. The bigger the conference, the more important it is to make sure the winners are not lost in the crowd. <br />
<br />
==Post-Conference==<br />
<br />
After the conference, it is very important to gather feedback from the winners to make sure they enjoyed the experience. Ask the winners for a brief description about their experience, with a picture attached for the website. Then write up a review and lessons learned page to document the experience with the program. Make sure to include what can be improved upon in the future. <br />
<br />
=ON THE DAY=<br />
==Training Days==<br />
Prior to the conference, the winners will arrive during the training workshops. Upon their arrival an OWASP volunteer will be around to greet them and take them to the trainings. This is to ensure that the winners are taken care of, and that they feel welcome and comfortable. The two training days prior to the conference should give the winners a chance to get to know local chapter volunteers and early attendees. Winners are encouraged to attend trainings that interest them and to mingle with fellow trainees. If there is a welcome event, winners should be encouraged to attend as well.<br />
<br />
==Conference Days==<br />
During the two days of the conference an OWASP volunteer will be available to show the winners around, introduce them to staff members, and get them acquainted with conference goers. The volunteer will also be responsible for getting the winners to the Women in AppSec scheduled activities, if any are planned. The volunteers should be made available if the winners have any questions or need help with anything. It is important that the winners get the full OWASP AppSec experience. This includes attending sessions of interests and encouraging winners to participate in the various activities provided at the Global AppSecs. <br />
<br />
=PAST WINNERS=<br />
==Previous Women in AppSec Winners==<br />
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words. <br />
<br />
==Carrie Schaper, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]<br />
| align="justify" |Carrie Schaper is an Information Security Professional with over 12+ years of industry experience ranging from Penetration Testing Fortune 500 companies, the Banking Infrastructure, and Government to Incident Response and Continuous Monitoring. She has performed Threat-Mitigation against targeted attacks from domestic and foreign adversaries for both corporate and government environments.<br />
|}<br />
<br><br />
<br />
==Nancy Lornston, 2013 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]<br />
| align="justify" |Nancy Lorntson is the Security Program Manager at Infinite Campus, the largest American-owned Student Information System, managing 6 million students in 43 states. Previously, Nancy was a school district Information Services Manager and part-time trainer for Guidance Software. In her current role, Nancy is responsible for all things security at Infinite Campus, working between the application development organization and the support, network, business operations, and hosting teams to implement, grow and improve a world class security program.<br />
|}<br />
<br><br />
<br />
==Tara Wilson, 2011 Winner==<br />
{| style="background-color: transparent"<br />
|-<br />
! width="200" align="center" | <br> <br />
! width="1000" align="center" | <br><br />
|-<br />
| align="center" | [[Image:Tara wilson.jpg|100px]]<br />
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.” <br />
|}<br />
<br><br />
<br />
=CONTACT=<br />
<br />
==Contact Us==<br />
<br />
If you are interested in another piece of OWASP design for your event or project, please let us know by using the [http://owasp4.owasp.org/contactus.html OWASP Contact Us form]. <br />
<br />
<br />
<headertabs /></div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=156118Long Island2013-07-27T11:21:49Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>04/25/2013</strong></li><br />
* Time: 6:30pm - 9:30 pm<br />
* Location: '''TIBCO Offices''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
RSVP Requested [http://owaspli_april2013.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
[http://www.tibco.com/ TIBCO Software Inc.] is the sponsor of this meeting.<br />
<br />
<br />
'''Ken Johnson'''<br/><br/><br />
Abstract:<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
<br />
'''Jack Mannino'''<br/><br/><br />
Abstract:<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
<br />
<br />
<br />
'''About the Speakers''' - <br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=156117Long Island2013-07-27T11:21:26Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>04/25/2013</strong></li><br />
* Time: 6:30pm - 9:30 pm<br />
* Location: '''TIBCO Offices''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
RSVP Requested [http://owaspli_april2013.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
[http://www.tibco.com/ TIBCO Software Inc.] is the sponsor of this meeting.<br />
<br />
<br />
'''Ken Johnson'''<br/><br/><br />
Abstract:<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
<br />
'''Jack Mannino'''<br/><br/><br />
Abstract:<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
<br />
<br />
<br />
'''About the Speakers''' - <br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=156116Long Island2013-07-27T11:19:57Z<p>HelenG: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ Long Island chapter is a proud sponsor of Women in AppSec 2013] <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>04/25/2013</strong></li><br />
* Time: 6:30pm - 9:30 pm<br />
* Location: '''TIBCO Offices''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
RSVP Requested [http://owaspli_april2013.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
[http://www.tibco.com/ TIBCO Software Inc.] is the sponsor of this meeting.<br />
<br />
<br />
'''Ken Johnson'''<br/><br/><br />
Abstract:<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
<br />
'''Jack Mannino'''<br/><br/><br />
Abstract:<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
<br />
<br />
<br />
'''About the Speakers''' - <br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=155506User:Helen Gao2013-07-15T22:46:09Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her specialties include software architecture, project management and application development. Her experiences are with financial institution, market research company, high-tech device manufacturer and software vendor. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Volunteer of the Women in Security program of AppSec USA 2013.<br />
#Volunteer of the Academic Outreach program of AppSec USA 2013.<br />
#Founder and leader of the Long Island Chapter - Found the chapter in 2006. Organize at least 4 chapter meetings annually.<br> <br />
#Global Membership Committee Chair from 2011 to 2012 - Revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#AppSec China 2010, 2011 Overseas Chair<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor from 2010 to 2012. <br />
#Global Chapter Committee Contributor - Helped revising the new chapter handbook in 2011. Participated in OWASP leaders workshops. <br />
#OWASP Governance Task Force - Helped revising OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helen_Gao&diff=150470User:Helen Gao2013-04-25T16:24:59Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her occupations include application developer, project manager, and software architect. Her employers are financial institution, market research company, high-tech device manufacturer and software company. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
[https://www.owasp.org/index.php/WASPY_Awards Helen is the OWASP Security Person of the Year of 2012]<br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Global Membership Committee Chair - In 2011, revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#Founder and leader of the Long Island Chapter - The chapter has been active since 2006. Organized at least 4 chapter meetings in 2011.<br> <br />
#AppSec China 2010, 2011 Overseas Chair - Organized 2 conferences in China in each of the past 2 years<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor - Participated in committee meetings since 2010. <br />
#Global Chapter Committee Contributor - Participated in OWASP&nbsp;leader workshops. Revising the new chapter handbook in 2011. <br />
#OWASP Governance Task Force - Revised OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=149861Long Island2013-04-15T14:04:31Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>04/25/2013</strong></li><br />
* Time: 6:30pm - 9:30 pm<br />
* Location: '''TIBCO Offices''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
RSVP Requested [http://owaspli_april2013.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
[http://www.tibco.com/ TIBCO Software Inc.] is the sponsor of this meeting.<br />
<br />
<br />
'''Ken Johnson'''<br/><br/><br />
Abstract:<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
<br />
'''Jack Mannino'''<br/><br/><br />
Abstract:<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
<br />
<br />
<br />
'''About the Speakers''' - <br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=149860Long Island2013-04-15T14:02:23Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<ul><br />
<li><strong>04/25/2013</strong></li><br />
* Time: 6:30pm - 9:30 pm<br />
* Location: '''TIBCO Offices''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
RSVP Requested [http://owaspli_april2013.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
'''TIBCO Software Inc.''' is the sponsor of this meeting.<br />
<br />
<br />
'''Ken Johnson'''<br/><br/><br />
Abstract:<br />
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.<br />
<br />
<br />
'''Jack Mannino'''<br/><br/><br />
Abstract:<br />
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.<br />
<br />
<br />
<br />
<br />
'''About the Speakers''' - <br />
<br />
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.<br />
<br />
<br />
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Long_Island&diff=136703Long Island2012-09-27T20:53:31Z<p>HelenG: /* Next Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''A Message From The Chapter''' ==<br />
<br />
Important update:<br/><br />
'''September 24th, Chapter Meeting Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
'''The September 25 meeting has been moved to September 24''' <br/><br/><br />
Important :: Due to scheduling conflicts the chapter leaders have made the decision to move the September meeting date to Monday September 24th. Please modify your registration accordingly or register using the link below.... <br/><br />
<br />
OWASP LI greatly apologize for any Inconvenience this may cause and look forward to seeing you at the meeting. <br />
<br />
<br />
== '''Next Meetings''' ==<br />
In order to accommodate a larger group for the Monday September 24th meeting, the room has changed. Please see the meeting details below.<br/><br />
<br />
For those who cannot make the trip or unable to get a registration slot, Adelphi University will be graciously providing a live feed. You can connect to the feed one hour prior to the meeting. Please sign in as guest, there will be an option provided on the login form prior to the meeting.<br />
<br/><ul><li><br />
<strong>[https://adelphi.adobeconnect.com/_a839711231/owasp The URL for this live feed can be found here].</strong><br />
</li></ul><br />
<br/><br />
<br />
<ul><br />
<li><strong>9/24/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<ul><br />
<li><strong>December 13, 2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>HelenGhttps://wiki.owasp.org/index.php?title=Membership&diff=131840Membership2012-06-25T13:43:02Z<p>HelenG: /* Membership Categories */</p>
<hr />
<div><br />
== [[Global Membership Committee]] ==<br />
<br />
'''[https://www.owasp.org/images/8/83/Membership_listing.pdf Membership Flyer]'''<br />
<br />
'''[https://www.owasp.org/index.php/Membership_Map Click here to renew or become a Member.]'''<br />
<br />
<br />
== Membership Categories ==<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | [[Image:Join_Now_BlueIcon.JPG|100px|link=https://www.owasp.org/index.php/Membership_Map]]<br />
! scope="col" align="center" width="120" | [[Voice During Elections]] <br />
! scope="col" align="center" width="120" | [[Recognition on OWASP.org Website]]<br />
! scope="col" align="center" width="120" | [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Discounts on Conference Sponsorship]<br />
! scope="col" align="center" width="120" | [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Discounts on Conference Attendance]<br />
! scope="col" align="center" width="120" | [[Complimentary Advertising]]<br />
! scope="col" align="center" width="120" | [[Recognition in Newsletter]]<br />
! scope="col" align="center" width="120" | [[owasp.org email address]]<br />
! scope="col" align="center" width="120" | [[Directly Support local chapter or project]]<br />
|-<br />
|align="center"| [[Corporate Member]]||align="center"|X||align="center"|X||align="center"|X|| ||align="center"|X||align="center"|X|| ||align="center"|X<br />
|-<br />
|align="center"|[[Individual Member]]||align="center"|X||align="center"|X|| ||align="center"|X|| || ||align="center"|X||align="center"|X<br />
|-<br />
|align="center"|Government Supporter|| ||align="center"|X|| || || ||align="center"|X|| || <br />
|-<br />
|align="center"|[[Academic Supporter]]||align="center"|X||align="center"|X|| || || ||align="center"|X|| || <br />
|-<br />
|align="center"|Organizational Supporter|| ||align="center"|X|| || || ||align="center"|X|| || <br />
|-<br />
|}<br />
<br />
== Other ways to Support OWASP ==<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" width="250" | [[Image:Btn_donate_SM.gif|link=http://www.cvent.com/d/fcq06k/4W]]<br />
! scope="col" width="700" | OWASP is an Open community of Application Security Professionals. The opportunities to participate in the organization are limitless<br />
|-<br />
|align="center"|[[Local Chapter Supporter]]|| Organizations that are not yet interested in becoming a full Corporate Member but who have a desire to direct their support in a more regional manner may prefer to become a Local Chapter Supporter. Check with your local Chapter Leader to learn more about specific price levels for Chapter Supporters. The funds donated are divided with 90% directly supporting the OWASP local chapter and 10% to the OWASP Foundation.[https://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters local chapter page] <br />
|-<br />
|align="center"|[[Single Meeting Supporter]]||Organizations that wish to support OWASP local chapter with a 100% tax deductible donation to enable OWASP Foundation to continue the mission. The fees are set by local chapter, so contact the chapter leader of the chapter that you want to work with. [https://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters local chapter page] <br />
|-<br />
|align="center"|Event Sponsorship||Participate in one of our Global or Regional events by sponsoring the expo or providing tangibles to the conference attendees. [https://www.owasp.org/index.php/Global_Conferences_Committee/Sponsorship View Sponsorship Opportunities]<br />
|-<br />
|align="center"|Tax Deductible Donation||The OWASP Foundation is a registered 501(c)3 in the US as well as a Not for Profit entity in Europe. As a result, your direct donation is eligible to be deducted as a charitible donation. Please contact your tax advisor for complete information.<br />
|-<br />
|align="center"|Individual Participation||With over 140 active chapters globally and hundreds of OWASP Projects and millions of great ideas waiting to become projects, it would be difficult to NOT find a way to participate. All it takes to participate is a willingness to share ideas and collaborate with the key minds in the industry. Please reach out to your local chapter leader, a current project leader, or start your own! <br />
|-<br />
|}<br />
<br />
== [[MEMBERSHIP FAQ]] ==<br />
<br />
= '''Current OWASP Organization Supporters &amp; Individual Members''' =<br />
<br />
{{Template:OWASP Members Horizontal}}</div>HelenGhttps://wiki.owasp.org/index.php?title=Membership&diff=129995Membership2012-05-16T19:21:54Z<p>HelenG: /* Membership Categories */</p>
<hr />
<div><br />
== [[Global Membership Committee]] ==<br />
<br />
<br />
<br />
[http://www.regonline.com/owasp_membership Become a Member]<br />
<br />
== Membership Categories ==<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | [http://www.regonline.com/owasp_membership https://www.owasp.org/images/2/2f/Donatenow.jpg]<br />
! scope="col" align="center" width="120" | [[Voice During Elections]] <br />
! scope="col" align="center" width="120" | [[Recognition on OWASP.org Website]]<br />
! scope="col" align="center" width="120" | [[Discounts on Conferences]]<br />
! scope="col" align="center" width="120" | [[Complimentary Advertising]]<br />
! scope="col" align="center" width="120" | [[Recognition in Newsletter]]<br />
! scope="col" align="center" width="120" | [[owasp.org email address]]<br />
! scope="col" align="center" width="120" | [[Directly Support local chapter or project]]<br />
|-<br />
|align="center"| [[Corporate Member]]||align="center"|X||align="center"|X||align="center"|X||align="center"|X||align="center"|X||align="center"|X||align="center"|X<br />
|-<br />
|align="center"|[[Individual Member]]||align="center"|X||align="center"|X||align="center"|X||||align="center"|X||align="center"|X||align="center"|X<br />
|-<br />
|align="center"|Government Supporter|| ||align="center"|X||align="center"|X|| ||align="center"|X|| ||align="center"|X<br />
|-<br />
|align="center"|Local Chapter Supporter|| ||align="center"|[https://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters On local chapter page] || || ||align="center"|X|| ||align="center"|X<br />
|-<br />
|align="center"|Academic Supporter|| ||align="center"|X||align="center"|X|| ||align="center"|X||align="center"|X||<br />
|-<br />
|align="center"|Organizational Supporter|| ||align="center"|X||align="center"|X||align="center"|X||align="center"|X|| ||align="center"|X<br />
|-<br />
|}<br />
<br />
== Other ways to Support OWASP ==<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" width="250" | [http://www.regonline.com/owasp_membership https://www.owasp.org/images/2/2f/Donatenow.jpg]<br />
! scope="col" width="700" | OWASP is an Open community of Application Security Professionals. The opportunities to participate in the organization are limitless<br />
|-<br />
|align="center"|Single Meeting Supporter||Organizations that wish to support OWASP local chapter with a 100% tax deductible donation to enable OWASP Foundation to continue the mission. The fees are set by local chapter, so contact the chapter leader of the chapter that you want to work with. [https://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters local chapter page] <br />
|-<br />
|align="center"|Event Sponsorship||Participate in one of our Global or Regional events by sponsoring the expo or providing tangibles to the conference attendees. [https://www.owasp.org/index.php/Global_Conferences_Committee/Sponsorship View Sponsorship Opportunities]<br />
|-<br />
|align="center"|Tax Deductible Donation||The OWASP Foundation is a registered 501(c)3 in the US as well as a Not for Profit entity in Europe. As a result, your direct donation is eligible to be deducted as a charitible donation. Please contact your tax advisor for complete information.<br />
|-<br />
|align="center"|Individual Participation||With over 140 active chapters globally and hundreds of OWASP Projects and millions of great ideas waiting to become projects, it would be difficult to NOT find a way to participate. All it takes to participate is a willingness to share ideas and collaborate with the key minds in the industry. Please reach out to your local chapter leader, a current project leader, or start your own! <br />
|-<br />
|}<br />
<br />
== [[MEMBERSHIP FAQ]] ==<br />
<br />
= '''Current OWASP Organization Supporters &amp; Individual Members''' =<br />
<br />
{{Template:OWASP Members Horizontal}}</div>HelenGhttps://wiki.owasp.org/index.php?title=User:HelenGao&diff=129563User:HelenGao2012-05-10T16:10:00Z<p>HelenG: Redirected page to Https://www.owasp.org/index.php/User:Helengao</p>
<hr />
<div>#REDIRECT [[https://www.owasp.org/index.php/User:Helengao]]</div>HelenGhttps://wiki.owasp.org/index.php?title=User:Helengao&diff=129562User:Helengao2012-05-10T16:03:48Z<p>HelenG: </p>
<hr />
<div>Helen Gao has worked in the field of information security since 1991. Her occupations incldues application developer, project manager, and software architect. Her employers are financial institution, market research company, high-tech device manufacturer and software company. <br />
<br />
Helen is currently a senior architect at TIBCO Software Inc. Her job duties include designing and developing of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br />
<br />
Helen has taught mathematics, physics and computer science at colleges in both United States and China. <br />
<br />
Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science in the United States. Helen holds master's degrees in both physics and computer science. <br />
<br />
Besides volunteering for OWASP, she has also served as the president of Sun Yat-sen University Alumni Association. Helen help founded the Long Island School of Chinese, a branch of Huaxia Chinese School. <br />
<br />
Helen's contribution to OWASP includes the following: <br />
<br />
#Global Membership Committee Chair - In 2011, revised membership model; Recruited 2 organization members, 2 educational members and many individual members in US and Asia Pacific regions.<br> <br />
#Founder and leader of the Long Island Chapter - The chapter has been active since 2006. Organized at least 4 chapter meetings in 2011.<br> <br />
#AppSec China 2010, 2011 Overseas Chair - Organized 2 conferences in China in each of the past 2 years<br> <br />
#Leader of the OWASP Chinese Project - Designed project road map, recruited volunteers, selected and translated material.<br> <br />
#Global Conference Committee Contributor - Participated in committee meetings since 2010. <br />
#Global Chapter Committee Contributor - Participated in OWASP&nbsp;leader workshops. Revising the new chapter handbook in 2011. <br />
#OWASP Governance Task Force - Revised OWASP by-laws in 2011 <br />
#OWASP Newsletter - Contributed and translated the newsletters since 2010. <br />
#Representative of OWASP China Chapter - Facilitate corporation among local chapters in greater China and the OWASP Foundation<br />
<br />
<br> [mailto:helen.gao@owasp.org Email and Google Talk address].</div>HelenG