https://wiki.owasp.org/api.php?action=feedcontributions&user=Medelibero&feedformat=atomOWASP - User contributions [en]2024-03-29T02:37:20ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Seattle&diff=87359Seattle2010-08-05T20:27:34Z<p>Medelibero: /* Previous Event 28 April (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
<br />
== Previous Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers:''' Walter Pearce & Wade Winright from IOActive<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing.<br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services.<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
----<br />
<br />
'''Protecting Your Applications from Backdoors:'''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
'''Speaker:''' Clint Pollock from Veracode<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover;<br />
Prevalence of backdoors and malicious code in third party attacks<br />
Definitions and classifications of backdoors and their impact on your applications<br />
Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=87358Seattle2010-08-05T20:24:48Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
<br />
== Previous Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=87357Seattle2010-08-05T20:23:34Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
<br />
== Previous Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=81421Seattle2010-04-15T03:39:28Z<p>Medelibero: /* Next Event 28 April (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers: Walter Pearce & Wade Winright from IOActive'''<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing. <br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
--------------------------------------------------------<br />
<br />
'''Protecting Your Applications from Backdoors: '''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
'''Speaker:''' Clint Pollock from Veracode<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
*Prevalence of backdoors and malicious code in third party attacks <br />
*Definitions and classifications of backdoors and their impact on your applications <br />
*Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=81420Seattle2010-04-15T03:38:25Z<p>Medelibero: /* Next Event 28 April (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers: Walter Pearce & Wade Winright from IOActive'''<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing. <br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
--------------------------------------------------------<br />
<br />
'''Protecting Your Applications from Backdoors: '''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
*Prevalence of backdoors and malicious code in third party attacks <br />
*Definitions and classifications of backdoors and their impact on your applications <br />
*Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=81419Seattle2010-04-15T03:28:36Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:'''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers: Walter Pearce & Wade Winright from IOActive'''<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing. <br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. <br />
<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
--------------------------------------------------------<br />
<br />
'''Protecting Your Applications from Backdoors: '''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
*Prevalence of backdoors and malicious code in third party attacks <br />
*Definitions and classifications of backdoors and their impact on your applications <br />
*Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
== Previous Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=80219Seattle2010-03-20T04:56:00Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender]<br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=77894Seattle2010-02-04T15:09:51Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mikede@mde-dev.com Mike de Libero] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=File:Rendezvous.ppt&diff=77893File:Rendezvous.ppt2010-02-04T15:07:25Z<p>Medelibero: Presentation on the Rendezvous toolset that was presented at the OWASP Seattle chapter meeting on February 3rd 2010 by Hidetake Jo.</p>
<hr />
<div>Presentation on the Rendezvous toolset that was presented at the OWASP Seattle chapter meeting on February 3rd 2010 by Hidetake Jo.</div>Medeliberohttps://wiki.owasp.org/index.php?title=File:SameOriginPolicy.ppt&diff=77892File:SameOriginPolicy.ppt2010-02-04T15:03:32Z<p>Medelibero: Powerpoint deck from Same Origin Policy presentation given at the Seattle Chapter meeting on February 3rd 2010 by Hidetake Jo.</p>
<hr />
<div>Powerpoint deck from Same Origin Policy presentation given at the Seattle Chapter meeting on February 3rd 2010 by Hidetake Jo.</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=76068Seattle2010-01-12T05:28:18Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 3 February (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=76067Seattle2010-01-12T05:23:35Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Previous Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=67611Seattle2009-08-15T23:37:51Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=67610Seattle2009-08-15T23:37:28Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx|Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=67609Seattle2009-08-15T23:37:11Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=67608Seattle2009-08-15T23:36:25Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=File:Anti-XSS_3.0_RV.pptx&diff=67607File:Anti-XSS 3.0 RV.pptx2009-08-15T23:35:06Z<p>Medelibero: Anil Revuru's talk on AntiXSS given at the Seattle OWASP Chapter August 2009 meeting.</p>
<hr />
<div>Anil Revuru's talk on AntiXSS given at the Seattle OWASP Chapter August 2009 meeting.</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=66795Seattle2009-07-29T02:06:56Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=66794Seattle2009-07-29T02:04:35Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=66793Seattle2009-07-29T02:03:53Z<p>Medelibero: /* Next Event 11 August (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
Anil Kumar Revuru currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
Andre Gironda is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=66792Seattle2009-07-29T02:03:29Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 11 August (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
Anil Kumar Revuru currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
Andre Gironda is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
<br />
== Previous Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=59346Seattle2009-04-23T00:33:29Z<p>Medelibero: /* Next Event 28 April (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=59345Seattle2009-04-23T00:33:12Z<p>Medelibero: /* Next Event 28 April (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Tuesday) ==<br />
''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=59344Seattle2009-04-23T00:32:52Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 28 April (Tuesday) ==<br />
''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance. <br />
<br />
== Previous Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Project_-_Assessment_Frame&diff=56759OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Assessment Frame2009-03-16T04:24:23Z<p>Medelibero: </p>
<hr />
<div>[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|Click here to return to project's main page]].<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project''' <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS - OWASP Summer of Code 2008<br />
|-<br />
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer''' <br />
| style="width:22%; background:#b3b3b3" align="center"|'''Author's Self Evaluation'''<br>[[:User:Ddk|'''Dmitry Kozlov''']] <br />
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer'''<br>[[User:Mroxberr|'''Mark Roxberry''']]<br />
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer'''<br>[[User:Medelibero|'''Mike de Libero''']] <br />
| style="width:21%; background:#b3b3b3" align="center"|'''OWASP Board Member'''<br>(not applicable)<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review''' <br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - 50 Review - Self Evaluation - A|Self-Evaluation (A)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes'''<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - 50 Review - First Reviewer - C|First Reviewer (C)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes'''<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project 50 Review Second Review E|Second Reviewer (E)]]<br />
| style="width:22%; background:#C2C2C2" align="center"|X <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review''' <br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - Self Evaluation - B|Self-Evaluation (B)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - First Reviewer - D|First Reviewer (D)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - Second Reviewer - F|Second Reviewer (F)]]<br />
| style="width:22%; background:#C2C2C2" align="center"|X<br />
|-<br />
|}</div>Medeliberohttps://wiki.owasp.org/index.php?title=Project_Information:template_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Project_50_Review_Second_Review_E&diff=56758Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project 50 Review Second Review E2009-03-16T04:22:19Z<p>Medelibero: </p>
<hr />
<div>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project|Click here to return to the previous page]].<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|<font color="white">'''50% REVIEW PROCESS''' <br />
|- <br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
Project Deliveries & Objectives <br />
| colspan="2" style="width:75%; background:#cccccc" align="left"|<br />
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Project's Deliveries & Objectives]]<br />
|-<br />
| style="width:25x%; background:#4058A0" align="center"|<font color="white">'''QUESTIONS''' <br />
| colspan="2" style="width:75%; background:#4058A0" align="left"|<font color="white">'''ANSWERS''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| The UI has been created and is usable minus a few bugs that were found and sent along to Dmitry. The UI is a lot easier to work with then the previous version and should work well once the back-end code is written. <br />
|- <br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
<br />
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|'''the assumed ones''']], please quantify in terms of percentage.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| I would say the project is about 50% of the way done. The UI is pretty much complete. <br />
|- <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|<br />
3. Please do use the right hand side column to provide advice and make work suggestions.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| Here are the suggestions I passed on to Dmitry:<br />
* During the install there is no option to add a shortcut to the desktop<br />
* From the install the name of the program is Sitegen yet when you run the program the title is SiteGenerator 2.0 we should keep these values similar <br />
* When you expand the window the inner frames do not expand with it (good job on handling the case of making the window smaller though, that can't be done leading to no mashed up UI).<br />
* You can add invalid directory path and the program does not correct you which leads to invalid directory paths when you hit generate<br />
* You can add in a blank role in the "Access Control" tab when you are creating a new site.<br />
* If a large number of directories and or files are specified the application locks up (or at least appears to). I put 26000+ for each field and the application went bye-bye. We should set a maximum range (I noticed there was a minimum range which was good).<br />
* There is no clear way to modify the access control<br />
*<br />
* As of 3/15/2009 these issues have all been fixed.<br />
|}</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Project_-_Assessment_Frame&diff=55258OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Assessment Frame2009-02-23T00:34:47Z<p>Medelibero: </p>
<hr />
<div>[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|Click here to return to project's main page]].<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project''' <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS - OWASP Summer of Code 2008<br />
|-<br />
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer''' <br />
| style="width:22%; background:#b3b3b3" align="center"|'''Author's Self Evaluation'''<br>[[:User:Ddk|'''Dmitry Kozlov''']] <br />
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer'''<br>[[User:Mroxberr|'''Mark Roxberry''']]<br />
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer'''<br>[[User:Medelibero|'''Mike de Libero''']] <br />
| style="width:21%; background:#b3b3b3" align="center"|'''OWASP Board Member'''<br>(not applicable)<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review''' <br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - 50 Review - Self Evaluation - A|Self-Evaluation (A)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - 50 Review - First Reviewer - C|First Reviewer (C)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''No [but close]'''<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project 50 Review Second Review E|Second Reviewer (E)]]<br />
| style="width:22%; background:#C2C2C2" align="center"|X <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review''' <br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - Self Evaluation - B|Self-Evaluation (B)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - First Reviewer - D|First Reviewer (D)]]<br />
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Quality''' (To update)<br>---------<br>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project - Final Review - Second Reviewer - F|Second Reviewer (F)]]<br />
| style="width:22%; background:#C2C2C2" align="center"|X<br />
|-<br />
|}</div>Medeliberohttps://wiki.owasp.org/index.php?title=Project_Information:template_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Project_50_Review_Second_Review_E&diff=55257Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project 50 Review Second Review E2009-02-23T00:33:59Z<p>Medelibero: </p>
<hr />
<div>[[Project Information:template Application Security Tool Benchmarking Environment and Site Generator Refresh Project|Click here to return to the previous page]].<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|<font color="white">'''50% REVIEW PROCESS''' <br />
|- <br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
Project Deliveries & Objectives <br />
| colspan="2" style="width:75%; background:#cccccc" align="left"|<br />
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Project's Deliveries & Objectives]]<br />
|-<br />
| style="width:25x%; background:#4058A0" align="center"|<font color="white">'''QUESTIONS''' <br />
| colspan="2" style="width:75%; background:#4058A0" align="left"|<font color="white">'''ANSWERS''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| The UI has been created and is usable minus a few bugs that were found and sent along to Dmitry. The UI is a lot easier to work with then the previous version and should work well once the back-end code is written. <br />
|- <br />
| style="width:25%; background:#7B8ABD" align="center"| <br />
<br />
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P003/P013 - OWASP Application Security Tool Benchmarking Environment and Site Generator refresh.=|'''the assumed ones''']], please quantify in terms of percentage.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| I would say the project is about 35-40% of the way done. The UI isn't fully complete and the UI should be the smaller of the project as the generation of the site and the server-side code should take a decent chunk of the project. <br />
|- <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|<br />
3. Please do use the right hand side column to provide advice and make work suggestions.<br />
| colspan="2" style="width:75%; background:#cccccc" align="left"| Here are the suggestions I passed on to Dmitry:<br />
* During the install there is no option to add a shortcut to the desktop<br />
* From the install the name of the program is Sitegen yet when you run the program the title is SiteGenerator 2.0 we should keep these values similar <br />
* When you expand the window the inner frames do not expand with it (good job on handling the case of making the window smaller though, that can't be done leading to no mashed up UI).<br />
* You can add invalid directory path and the program does not correct you which leads to invalid directory paths when you hit generate<br />
* You can add in a blank role in the "Access Control" tab when you are creating a new site.<br />
* If a large number of directories and or files are specified the application locks up (or at least appears to). I put 26000+ for each field and the application went bye-bye. We should set a maximum range (I noticed there was a minimum range which was good).<br />
* There is no clear way to modify the access control<br />
|}</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=43030Seattle2008-10-12T21:10:40Z<p>Medelibero: /* Next Event 23 October (Thursday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=43029Seattle2008-10-12T21:10:28Z<p>Medelibero: /* Next Event 23 October (Thursday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=43028Seattle2008-10-12T21:10:03Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] <br />
<paypal>Seattle</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 October (Thursday) ==<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
<br />
== Previous Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=30428Seattle2008-06-05T14:21:48Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 12 June (Thursday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
== Previous Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
== Past Events ==<br />
<br />
1/23/2008 @ $65/hour<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=SpoC_007_-_OWASP_Site_Generator_-_Progress_Page&diff=27382SpoC 007 - OWASP Site Generator - Progress Page2008-04-01T04:19:03Z<p>Medelibero: /* First Deliverable march 28th 2008 */</p>
<hr />
<div>'''[https://www.owasp.org/index.php/SpoC_007_-_OWASP_Site_Generator Back to SpoC 007 OSG page]'''<br />
<br />
== First Deliverable march 28th 2008 ==<br />
* Developed the hollow framework for the new OSG that includes<br />
** Owasp.Osg.HttpModule - can route any filetypes set in the web.config to it<br />
** Owasp.Osg.Controller - currently only opens a go between connection<br />
** Owasp.Osg.Communication - wraps shared comm classes and houses buffer that shares osg data between remote objects.<br />
<br />
<br />
* Reviewed the deliverable and confirmed it met expectations.</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=26031Seattle2008-02-27T04:47:00Z<p>Medelibero: /* Next Event 4 March (Tuesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 3/4/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
== Previous Event 23 January (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 1/23/2007<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
== Past Events ==<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=26030Seattle2008-02-27T04:46:30Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 4 March (Tuesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 3/4/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Billy Rios'''<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Jon McClintock'''<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
== Previous Event 23 January (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 1/23/2007<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
== Past Events ==<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=24674Seattle2008-01-25T13:41:26Z<p>Medelibero: /* Next Event 23 Jan (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 Jan (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 1/23/2007<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
== Last Event 29 Nov (Thurs) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
== Past Events ==<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=24673Seattle2008-01-25T13:41:07Z<p>Medelibero: /* Next Event 23 Jan (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 Jan (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 1/23/2007<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
== Last Event 29 Nov (Thurs) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
== Past Events ==<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=File:Emerging_Threats_in_Distributed_Applications_(Web_2).ppt&diff=24672File:Emerging Threats in Distributed Applications (Web 2).ppt2008-01-25T07:40:36Z<p>Medelibero: Waqas Nazir's presentation given at the January 2008 Seattle chapter meeting.</p>
<hr />
<div>Waqas Nazir's presentation given at the January 2008 Seattle chapter meeting.</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=24671Seattle2008-01-25T06:47:34Z<p>Medelibero: /* Next Event 23 Jan (Wednesday) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 23 Jan (Wednesday) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 1/23/2007<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
== Last Event 29 Nov (Thurs) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
== Past Events ==<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_.Net_Project_Roadmap&diff=24097OWASP .Net Project Roadmap2007-12-28T18:55:29Z<p>Medelibero: </p>
<hr />
<div>== Goals ==<br />
Our overall goal is: <br />
<br />
Is to create tools and deliver research that will <br />
help advance the security of the .Net framework. <br />
<br />
We have the following short-term goals:<br />
# Create a CSRF blocker <br />
# Create a practical guide into .Net secure coding practices<br />
<br />
== Current Tasks ==<br />
# Investigate the following tools: ANBS, ASP.Net Reflector, ANSA<br />
# Investigate the integration of the majority of the tools into one main .Net tool. Potentially looking at OWASP tiger to use it as a base <br />
# Create CSRF Guard<br />
# Make sure OWASP Site Generator(OSG) gets finished <br />
# Guidance on CAS with code samples<br />
<br />
== Ideas ==<br />
Please feel free to send your ideas to the OWASP.Net mailing list (owasp-dotnet@lists.owasp.org)<br />
<br />
[[Category:OWASP .NET Project]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_.Net_Project_Roadmap&diff=24096OWASP .Net Project Roadmap2007-12-28T18:54:46Z<p>Medelibero: </p>
<hr />
<div>== Goals ==<br />
Our overall goal is: <br />
<br />
Is to create tools and deliver research that will help advance the <br />
security of the .Net framework. <br />
<br />
We have the following short-term goals:<br />
# Create a CSRF blocker <br />
# Create a practical guide into .Net secure coding practices<br />
<br />
== Current Tasks ==<br />
# Investigate the following tools: ANBS, ASP.Net Reflector, ANSA<br />
# Investigate the integration of the majority of the tools into one main .Net tool. Potentially looking at OWASP tiger to use it as a base <br />
# Create CSRF Guard<br />
# Make sure OWASP Site Generator(OSG) gets finished <br />
# Guidance on CAS with code samples<br />
<br />
== Ideas ==<br />
Please feel free to send your ideas to the OWASP.Net mailing list (owasp-dotnet@lists.owasp.org)<br />
<br />
[[Category:OWASP .NET Project]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_.Net_Project_Roadmap&diff=24095OWASP .Net Project Roadmap2007-12-28T16:56:26Z<p>Medelibero: New page: == Goals == Our overall goal is: Is to create tools and deliver research that will help advance the security of the .Net framework. We have the following short-term goals: # Cre...</p>
<hr />
<div>== Goals ==<br />
Our overall goal is: <br />
<br />
Is to create tools and deliver research that will help advance the <br />
security of the .Net framework. <br />
<br />
We have the following short-term goals:<br />
# Create a CSRF blocker <br />
# Create a practical guide into .Net secure coding practices<br />
<br />
== Current Tasks ==<br />
<br />
[[Category:OWASP .NET Project]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Category:OWASP_.NET_Project&diff=24094Category:OWASP .NET Project2007-12-28T16:51:28Z<p>Medelibero: /* Other misc stuff */</p>
<hr />
<div>Welcome to the OWASP .Net Project. These pages are still in 'very alpha' format since we are still importing content (check out '''[[To Do on Owasp .Net Project Pages]]''' if you want to help out)<br />
<br />
{| <br />
| valign="top" |<br />
<br />
== Latest ==<br />
* Nov 2007: Uploaded test scripts from OWASP training in San Jose [https://www.owasp.org/images/7/7d/Fetch_Web_Page_%28from_OWASP_training_in_San_Jose%29.zip download here]<br />
* Jun 2007: Created stub pages for Microsoft's [[SliverLight]], Abobe's [[AIR]], Microsoft's [[WSS]] and Apple's [[iPhone]]<br />
* Jun 2007: [[DN_BOFinder]] Uploaded latest version to Sourceforge and updated WIKI page<br />
* Feb 2007: Added info about the new tool: DotNet Buffer Overflow Finder [[DN_BOFinder]]<br />
* 14th September: Added stub page [[Source Code Audit Tools]]<br />
* 31st August: [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]], Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.<br />
* 31st August: [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview], Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.<br />
* 14 August: Finished adding in the <nowiki> {{Template:Stub}} </nowiki> to the pages - Mike de Libero<br />
* 29 July: New finding [[Full Trust CLR Verification issue: changing the return address order]]<br />
* 28 July: Added new tool [[.Net Assembly Analyzer]]<br />
* 27 July: New Layout for home page <br />
* 25 July: Made tons of changes to lots of pages (from new content, to images, etc...) <br />
* 20 July: [[Owasp Report Generator]] page with links for download<br />
* Uploaded latest version of [[Owasp SiteGenerator]](including the source code) to SourceForge and updated the links in [[Owasp SiteGenerator]]<br />
* 11 July: [[Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net]]<br />
* 11 July: We have started to upload the OWASP .Net Projects to [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 SourceForge dotNET section]. SiteGenerator is up there and more will follow.<br />
<br />
Unless marked, the above entries were posted by [[User:Dinis.cruz|Dinis.cruz]] <br />
<br />
| valign="top" |<br />
<br />
[[Category:OWASP Project]]<br />
<br />
== Current Projects ==<br />
* [[Owasp SiteGenerator]] (sponsored by Foundstone)<br />
* [[Owasp Report Generator]]<br />
* [[ANBS]] (Asp.Net Baseline Security) - includes the tools [[SAM'SHE]] (Security Analyzer for Microsoft's Shared Hosting Environments) and [[Online IIS Metabase Explorer]]<br />
* [[ASP.NET Reflector]]<br />
* [[ANSA]] (Asp.Net Security Analyzer) - first tool developed by Dinis Cruz that hilights the security problems of Full Trust Asp.Net code (contains Proof of Concept tests (i.e. exploits))<br />
* [[DefApp]] - Partial port of ModSecurity to the .Net Platform <br />
* [[Owasp FOSBBWAS (code name Beretta)]]<br />
* [[.Net Assembly Analyzer]]<br />
* [[OWASP_Tiger|OWASP Tiger]]<br />
<br />
'''Related Foundstone Open souce projects'''<br />
* [[Hacme Bank]] (Foundstone tool)<br />
* [[.NetMon]] (Foundstone tool)<br />
* [[Validator.NET]] (Foundstone tool)<br />
<br />
<br />
'''Note:''' All releases are available on the [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 dotNET section] of the [https://sourceforge.net/projects/owasp/ SourceForge OWASP Project pages]<br />
<br />
|- <br />
| valign="top" |<br />
<br />
== .Net Security ==<br />
* [[.Net Full Trust]] (A discussion on the security implications of running .NET applications using the default Full Trust security model)<br />
* [[.Net Type Safety]]<br />
* [[.Net Framework Security Issues]]<br />
* [[Rooting The CLR]]<br />
<br />
| valign="top" |<br />
<br />
== Other misc stuff ==<br />
* [[London Chapter WAF event]]<br />
* [[Security Podcasts]]<br />
* [[CVS details for Editors]]<br />
* [[Wiki Edit Tips]]<br />
* '''Code Samples'''<br />
** [[.Net Code Sample - Reflecting assembly with missing dependency]]<br />
** [[Files_Xml_WindowsMessages]] (with serialization stuff)<br />
* [[.Net Research Links]]<br />
* [[.Net Security Tools]]<br />
* [[Richard Crypto .Net Stuff]]<br />
* [[2006 Autumn Of Code]]<br />
* [[OWASP .Net Project Roadmap]]<br />
|}<br />
<br />
== Mailing List ==<br />
We have a mailing list at Sourceforge which we use to discuss relevant issue to .Net security (see [[How to join Owasp.Net Mailing List]])<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Download]]<br />
<br />
__NOTOC__</div>Medeliberohttps://wiki.owasp.org/index.php?title=Category:OWASP_.NET_Project&diff=24093Category:OWASP .NET Project2007-12-28T16:51:08Z<p>Medelibero: /* Other misc stuff */</p>
<hr />
<div>Welcome to the OWASP .Net Project. These pages are still in 'very alpha' format since we are still importing content (check out '''[[To Do on Owasp .Net Project Pages]]''' if you want to help out)<br />
<br />
{| <br />
| valign="top" |<br />
<br />
== Latest ==<br />
* Nov 2007: Uploaded test scripts from OWASP training in San Jose [https://www.owasp.org/images/7/7d/Fetch_Web_Page_%28from_OWASP_training_in_San_Jose%29.zip download here]<br />
* Jun 2007: Created stub pages for Microsoft's [[SliverLight]], Abobe's [[AIR]], Microsoft's [[WSS]] and Apple's [[iPhone]]<br />
* Jun 2007: [[DN_BOFinder]] Uploaded latest version to Sourceforge and updated WIKI page<br />
* Feb 2007: Added info about the new tool: DotNet Buffer Overflow Finder [[DN_BOFinder]]<br />
* 14th September: Added stub page [[Source Code Audit Tools]]<br />
* 31st August: [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]], Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.<br />
* 31st August: [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview], Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.<br />
* 14 August: Finished adding in the <nowiki> {{Template:Stub}} </nowiki> to the pages - Mike de Libero<br />
* 29 July: New finding [[Full Trust CLR Verification issue: changing the return address order]]<br />
* 28 July: Added new tool [[.Net Assembly Analyzer]]<br />
* 27 July: New Layout for home page <br />
* 25 July: Made tons of changes to lots of pages (from new content, to images, etc...) <br />
* 20 July: [[Owasp Report Generator]] page with links for download<br />
* Uploaded latest version of [[Owasp SiteGenerator]](including the source code) to SourceForge and updated the links in [[Owasp SiteGenerator]]<br />
* 11 July: [[Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net]]<br />
* 11 July: We have started to upload the OWASP .Net Projects to [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 SourceForge dotNET section]. SiteGenerator is up there and more will follow.<br />
<br />
Unless marked, the above entries were posted by [[User:Dinis.cruz|Dinis.cruz]] <br />
<br />
| valign="top" |<br />
<br />
[[Category:OWASP Project]]<br />
<br />
== Current Projects ==<br />
* [[Owasp SiteGenerator]] (sponsored by Foundstone)<br />
* [[Owasp Report Generator]]<br />
* [[ANBS]] (Asp.Net Baseline Security) - includes the tools [[SAM'SHE]] (Security Analyzer for Microsoft's Shared Hosting Environments) and [[Online IIS Metabase Explorer]]<br />
* [[ASP.NET Reflector]]<br />
* [[ANSA]] (Asp.Net Security Analyzer) - first tool developed by Dinis Cruz that hilights the security problems of Full Trust Asp.Net code (contains Proof of Concept tests (i.e. exploits))<br />
* [[DefApp]] - Partial port of ModSecurity to the .Net Platform <br />
* [[Owasp FOSBBWAS (code name Beretta)]]<br />
* [[.Net Assembly Analyzer]]<br />
* [[OWASP_Tiger|OWASP Tiger]]<br />
<br />
'''Related Foundstone Open souce projects'''<br />
* [[Hacme Bank]] (Foundstone tool)<br />
* [[.NetMon]] (Foundstone tool)<br />
* [[Validator.NET]] (Foundstone tool)<br />
<br />
<br />
'''Note:''' All releases are available on the [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 dotNET section] of the [https://sourceforge.net/projects/owasp/ SourceForge OWASP Project pages]<br />
<br />
|- <br />
| valign="top" |<br />
<br />
== .Net Security ==<br />
* [[.Net Full Trust]] (A discussion on the security implications of running .NET applications using the default Full Trust security model)<br />
* [[.Net Type Safety]]<br />
* [[.Net Framework Security Issues]]<br />
* [[Rooting The CLR]]<br />
<br />
| valign="top" |<br />
<br />
== Other misc stuff ==<br />
* [[London Chapter WAF event]]<br />
* [[Security Podcasts]]<br />
* [[CVS details for Editors]]<br />
* [[Wiki Edit Tips]]<br />
* '''Code Samples'''<br />
** [[.Net Code Sample - Reflecting assembly with missing dependency]]<br />
** [[Files_Xml_WindowsMessages]] (with serialization stuff)<br />
* [[.Net Research Links]]<br />
* [[.Net Security Tools]]<br />
* [[Richard Crypto .Net Stuff]]<br />
* [[2006 Autumn Of Code]]<br />
* [[.Net Roadmap]]<br />
|}<br />
<br />
== Mailing List ==<br />
We have a mailing list at Sourceforge which we use to discuss relevant issue to .Net security (see [[How to join Owasp.Net Mailing List]])<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Download]]<br />
<br />
__NOTOC__</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_Community&diff=23141OWASP Community2007-11-06T08:19:39Z<p>Medelibero: </p>
<hr />
<div>This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.<br />
<br />
Events from previous years are archived here:<br />
* '''[[OWASP Community 2006]]'''<br />
<br />
This page is monitored, and items posted here will be copied to the OWASP Calendar [[Main Page]]. Please post new items in chronological order using the following format:<br />
<br />
'''Mon ## (##:00h) - [[Article]]'''<br />
<br />
<!--<br />
<br />
CHAPTER LEADS -- please put your schedule here and we'll post a month in advance<br />
<br />
*** Belgium ***<br />
<br />
*** OTTAWA: Rough dates ***<br />
<br />
*** BOSTON: Every first Wednesday of the month ***<br />
<br />
*** MELBOURNE: First Tuesday of the month ***<br />
<br />
*** NETHERLANDS: Second Thursday of the month sometimes ***<br />
<br />
*** ROCHESTER: Every third Monday of the month ***<br />
<br />
*** TORONTO: Every second Wednesday of the month<br />
<br />
*** VIRGINIA: Every second thursday of the month ***<br />
<br />
*** SINGAPORE: Every first Thursday of the month ***<br />
<br />
--><br />
<br />
==Upcoming Events==<br />
Not yet registered in the Calendar:<br />
<br />
==Upcoming Events==<br />
<br />
'''Dec 18 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Dec 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Dec 5(18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''<br />
<br />
'''Dec 3(13:00h) - [[Israel|OWASP Israel 2007]] '''<br />
<br />
'''Nov 29 (18:00h) -[[Seattle|Seattle Chapter Meeting]] '''<br />
<br />
'''Nov 26 (09:30h) - [[Turkey|Turkey Chapter Meeting - Izmir]] '''<br />
<br />
'''Nov 24 (13:30h) - [[Turkey|Turkey Chapter Meeting - Ankara]] '''<br />
<br />
'''Nov 20 (18:00h) - [[Belgium|Belgium Chapter Meeting]] '''<br />
<br />
'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
'''Nov 14 (18:00h) - [[Houston|Houston Chapter Meeting]] '''<br />
<br />
'''Nov 11 (18:00h) - [[Ireland|Ireland Chapter Meeting]] '''<br />
<br />
'''Nov 7 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''<br />
<br />
'''Nov 7 (19:00h) - [[Singapore|Singapore OWASP Chapter Meeting]] '''<br />
<br />
'''Nov 3 (18:30h) - [[Malaysia|Malaysia OWASP Chapter Meeting]] '''<br />
<br />
==Past Events==<br />
<br />
'''Oct 9 (1930h) - [[Singapore|Singapore OWASP chapter meeting]]'''<br />
<br />
'''Oct 2 (1830h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Sept 27 (1800h) - [[New York|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Sept 27 (13:00h) - [[Taiwan|Taiwan chapter meeting]]'''<br />
<br />
'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Sept 10 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Sept 7 (15:00h) [[Germany|German chapter meeting]]''' - Restart of the German Chapter<br />
<br />
'''Sept (12:00h) - [[Belgium|Belgium OWASP Day Event]] '''<br />
<br />
'''Sept 6 (18:00h) - [[Kansas_City|Kansas City Chapter meeting]]'''<br />
<br />
'''Sept 5 (18:00h) - [[Chicago|Chicago Chapter Meeting]]'''<br />
<br />
'''Sept 5 (17:00h) - [[Israel|Israeli chapter meeting]]'''<br />
<br />
'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''<br />
<br />
'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''<br />
<br />
'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''<br />
<br />
'''June 26 (11:30hr) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans<br />
<br />
'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)<br />
<br />
'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''<br />
<br />
'''June 15 (17:00hr) - [[Spain|Spain chapter meeting]]'''<br />
<br />
'''June 13 (18:30hr) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''June 12 (18:00hr) - [[New York|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''<br />
<br />
'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''<br />
<br />
'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot". <br />
<br />
'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''<br />
<br />
'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''<br />
<br />
'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''<br />
<br />
'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''<br />
<br />
'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''<br />
<br />
'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''<br />
<br />
'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''<br />
<br />
'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''<br />
<br />
'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''<br />
<br />
'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''<br />
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”<br />
<br />
'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''<br />
<br />
'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''<br />
<br />
'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''<br />
<br />
'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''<br />
<br />
'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''<br />
<br />
; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''<br />
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”<br />
<br />
'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''<br />
<br />
'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''<br />
<br />
'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''<br />
<br />
'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''<br />
<br />
'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''<br />
<br />
'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''<br />
<br />
'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''<br />
<br />
'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''<br />
<br />
'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''<br />
<br />
'''May 2 - [[Boston]]'''<br />
<br />
'''May 6 - [[Turkey]]'''<br />
<br />
'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''<br />
<br />
'''May 9 - [[Toronto]]'''<br />
<br />
'''May 10 - [[Belgium]]'''<br />
<br />
'''May 15 - [[Rochester]]'''<br />
<br />
'''May 21 - [[Israel]]'''<br />
<br />
'''May 22 - [[New Zealand]]'''<br />
<br />
'''May 29 - [[Italy]]'''<br />
<br />
'''June 5 - [[Houston]]'''<br />
<br />
'''June 5 - [[Melbourne]]'''<br />
<br />
'''June 5 - [[Helsinki]]'''<br />
<br />
'''June 12 - [[New Jersey]]'''<br />
<br />
'''June 15 - [[Spain]]'''<br />
<br />
'''July 14 - [[Turkey]]'''</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=23140Seattle2007-11-06T08:17:34Z<p>Medelibero: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Next Event 29 Nov (Thurs) ==<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
== Last Event 06 Sep (Thurs) ==<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
== Past Events ==<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_Week_September_2007&diff=22284OWASP Week September 20072007-10-10T03:50:21Z<p>Medelibero: </p>
<hr />
<div>This page will contain the outcome of the multiple OWASP Chapter events that will occur during during the week 5th Sep -> 12 Sep (see [[OWASP Day]])<br />
<br />
<br />
== Presentations (links to) ==<br />
<br />
<br />
==== Washington DC ====<br />
<br />
All presentations can be found at the link below. <br />
<br />
[[Washington_DC_LIVE-O]]<br />
<br />
==== Belgium ====<br />
<br />
===== Getting started with WebGoat & WebScarab (Erwin Geirnaert) =====<br />
Download [[:Image:OWASPDay2007Belgium_WebGoat-WebScarab.ppt|presentation]].<br />
<br />
In this tutorial you will learn how to use WebScarab to solve the lessons in WebGoat.<br />
<br />
Following points will be explained:<br />
* Configure WebScarab as a local proxy<br />
* Intercepte HTTP requests and responses<br />
* Modify HTTP requests to solve the lesson “Hidden field manipulation”<br />
* Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”<br />
* Use the session analysis tab in WebScarab<br />
* Use the web services tab in WebScarab<br />
* Use WebScarab to analyze Ajax XML messages<br />
<br />
'''!! Prerequisites:'''<br />
* Bring your own laptop with you! <br />
* Download [[OWASP_WebScarab_Project#Download|WebScarab]] onto your laptop<br />
* Download [[OWASP_WebGoat_Project#Download|WebGoat]] onto your laptop<br />
<br />
<br />
Erwin Geirnaert is CEO and co-founder of [http://www.zionsecurity.com ZION Security]. He is a renowned application security expert and has presented on various conferences like Javapolis, Eurostar, Owasp,… about web security. He is board member of OWASP Belux and actively involved in various OWASP projects like OWASP Java and OWASP WebGoat. Because of his technical experience he loves to do security testing, code review, reverse engineering,.. for Fortune 1000 companies in Europe. More information can be found on his LinkedIn profile: http://www.linkedin.com/in/erwingeirnaert.<br />
<br />
===== OWASP Evaluation and Certification Criteria Draft (Mark Curphey) =====<br />
Download [[:Image:OWASP_Day_-_Belgium_-_Curphey.pdf|presentation]].<br />
<br />
As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate. <br />
<br />
[http://securitybuddha.com/about/ Mark Curphey] ran Foundstone consulting from 2003 until late 2006 during which time the company was sold to McAfee. Before joining Foundstone Mark was the Director of Information Security at Charles Schwab (responsible for the software security program) and has also worked for ISS and several financial services companies in Europe. Mark has a Masters degree in information security from Royal Holloway, University of London and was the original founder of the Open Web Application Security Project (OWASP).<br />
<br />
===== Automated Web FOO or FUD? (David Kierznowski) =====<br />
Download [[:Image:OWASPDay2007-Belgium-dwk.ppt|presentation]].<br />
<br />
We take a look into automated web application testing technologies and their effectiveness against real life applications. <br />
<br />
Also, we look into one of GNUCITIZENs latest projects, The Technika Security Framework (TSF), which will enable users to automate security testing directly from their browser.<br />
<br />
[http://gnucitizen.org/about/dk David Kierznowski] currently works as a Senior Security Analyst for a leading penetration testing company in the UK. He has worked in the security industry for the past 6 years. David is also the founder of both [http://michaeldaw.org michaeldaw.org] and [http://blogsecurity.net blogsecurity.net] and is an active member of the [http://gnucitizen.org GNUCITIZEN] group.<br />
<br />
===== OWASP Pantera Unleashed (Simon Roses Femerling) =====<br />
Download [[:Image:OWASPDay2007Belgium_Pantera_Unleash.ppt|presentation]].<br />
<br />
The presentation will provide a glimpse into what Pantera can offer when performing blackbox web assessments. In the age of Web 2.0 we need powerful tools that provide us rich and accurate information and allows us to manipulate that information into our advantage, that's what Pantera is all about. <br />
<br />
Simon Roses Femerling is a Security Technologist at the [http://blogs.msdn.com/ace_team/ ACE Team] at Microsoft. Former PwC and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories. Simon is natural from wonderful Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.<br />
<br />
===== CLASP, SDL and Touchpoints Compared (Bart De Win) =====<br />
Presentation pending paper publication.<br />
<br />
Over the years, specific methodologies and techniques for secure software <br />
engineering have been proposed, yet dedicated processes have become available <br />
only recently. In this presentation, the highlights of an activity-driven <br />
comparison of three high-profile processes for the development of secure <br />
software are presented.<br />
<br />
Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.<br />
<br />
===== Threats of e-insecurity in Belgium and the Belgian response (Luc Beirens, FCCU) =====<br />
Download [[:Image:OWASP_Day_Belgium_FCCU_e-insecurity.pdf|presentation]].<br />
<br />
The presentation will give a short overview of the actual threats on the e-society in Belgium.<br />
How are public and private sector organized (or not) to tacle the different problems ?<br />
What are the tasks of the police within this framework ?<br />
<br />
Since 1991, chief superintendent Luc Beirens is engaged in computer forensics and cyber crime investigations. He is head of the Federal Computer Crime Unit of the Federal Police since 2001. Aside consulting his detectives in current cyber crime investigations, he is responsible for the reorganization, the equipment and the training of Belgian police services concerned with cyber crime investigations. As member of the European Working Party on Information Technology Crime (EWPITC) of Interpol since 1995 and the EUROPOL cyber crime expert group since 2001, he has cooperated in writing several documents concerning computer forensics and cyber crime investigations. He lectures in these fields at several police academies and universities.<br />
His is involved in several organizations and platforms that are concerned with e-security, ICT forensics and cyber crime combating. Before his detective career, he has worked from 1987 till 1995 as analyst and project manager on the development of the Police Information System of the Belgian Gendarmerie. He holds master degrees in criminology and information technology.<br />
<br />
===== For my next trick... hacking Web2.0 (pdp) =====<br />
Download [[:Image:OWASP_Day_Belgium_2007-pdp.ppt|presentation]].<br />
<br />
Web2.0, if I can summarize it with a few simple words, is all about communication, distribution, information, agents, clients and servers. Those who understand the 2.0 fundamentals have the power to manipulate the global Web to suit their needs - hackers, the new digital breed of the 2.0 world. Web2.0 hacking is a mean for communicating and distributing critical information in a better way. It can be used to build ghost infrastructures from where to launch attacks - anonymously, no traces, nothing. Web2.0 hacking is also about the thin line between client-side and server-side security. It is about the endpoints and the electronic highways. It is about reaching the masses and yet being able to perform attacks on specific targets. Web2.0 hacking is also about distribution and influence, covert channels, bots, IA, ghosts inside the electronic frame. Web2.0 hacking is also a movement, a cyber subculture where individuals show their technical abilities, and understandings of the world and use that to manipulate their way through the system.<br />
<br />
Web2.0 hacking practices should never be related to AJAX and JavaScript exploitation techniques only. Although it is true that client-side security has a significant part of the Web2.0 ecosystem, it is important to realize its role. There are far too many other aspects that we need to look into. My aim is to cover these aspects and reveal the hidden dangers.<br />
<br />
[http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), is the founder and leading contributer of the [http://gnucitizen.org GNUCITIZEN] group. He is a senior IT security consultant based in London, UK. His day-to-day work involves identifying vulnerabilities, building attack strategies and creating attack tools and penetration testing infrastructures. Petko is known in the underground circles as pdp or architect but his name is well known in the IT security industry for his strong technical background and creative thinking. He has been working for some of the world's top companies, providing consultancy on the latest security vulnerabilities and attack technologies.<br />
<br />
==== San Antonio ====<br />
<br />
Here is the Bruce Jenkins presentation on Developing an Application Security Strategy for Large Enterprise Systems:<br />
[http://www.owasp.org/index.php/Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]<br />
<br />
==== Israel ====<br />
<br />
'''OWASP IL 8th meeting at the OWASP week''' - '''[http://www.owasp.org/index.php/8th_OWASP_IL_chapter_meeting Meeting program and presentations.]'''<br />
<br />
<br />
==== Turkey ====<br />
<br />
'''Introduction'''<br />
<br />
* [https://www.owasp.org/images/6/66/OWASP_DAY_TR.sub.ppt Turkish Subtitle] by Bedirhan Urgun (delete .ppt extension) for [http://www.owasp.org/downloads/OWASP_Day.wmv Jeff Williams's OWASP Day Intro movie] <br />
<br />
''' Privacy in Governmental Insitutions - A Current State Analysis'''<br />
<br />
* [https://www.owasp.org/images/b/bc/OWASP2007_KamudaPrivacy.ppt OWASP2007_KamudaPrivacy.ppt]<br />
<br />
Presentation discusses the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues. Getting off with general privacy problems, in specific, information about the privacy issues related to web applications is given. Moreover, concrete suggestions on providing a solid privacy in these institutions are presented.<br />
<br />
Hayrettin BAHŞİ<br />
Chief Researcher CC Lab-UEKAE TUBITAK<br />
<br />
''' Secure Web Application Development '''<br />
* [https://www.owasp.org/images/4/4b/Guvenli_Web_Uygulamalarinin_Gelistirilmesi2.ppt Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt] <br />
<br />
Presentation points out the vitality of security phases and touchpoints in SDLC, web applications' in specific. It goes over the principles, patterns, threat modeling as well as other important factors that comprise specification, development, testing phases of a secure application process. <br />
<br />
Korhan GÜRLER Chief Researcher PRO-G<br />
<br />
'''Discussion'''<br />
<br />
Answers to Panel questions can be found at [http://www.owasp.org/index.php/Turkey] under the title of Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)<br />
<br />
==== Italy ====<br />
All presentations can be found [http://www.owasp.org/index.php/Italy#September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 here]<br />
<br />
==== Rochester ====<br />
<br />
2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]<br />
<br />
Abstract: Web application security vulnerabilities remain by the far the most frequently reported vulnerability category. In spite of wide spread use, and very frequent vulnerabilities, most web applications are still not being securely developed and deployed. The presentation will demonstrate why experts estimate the percentage of vulnerable web application range from 75% to 99% and review the 2007 OWASP top 10 web applications security vulnerabilities.<br />
<br />
==== Ottawa ====<br />
<br />
* Presentation: What is Cardspace? By Christian Beauclair - Microsoft<br />
<br />
The impact of phishing and other forms of online identity phraud has grown enormously in the last few years. Today, people are starting to curb their activities online due to fears of phishing and phraud and because they just can’t be bothered to fight through today’s online authentication systems such as multiple usernames and passwords, Captcha control and OTP tokens. In this session we’ll explore some of the core issues facing our identities online and then discuss how technologies such as Windows CardSpace enable users to authenticate and/or present personal information more easily and safely to sites that they know are legitimate.<br />
<br />
==== Seattle ====<br />
All presentations can be found [https://www.owasp.org/index.php/Seattle#Last_Event_06_Sep_.28Thurs.29 here].<br />
<br />
== Pictures (links to) ==<br />
<br />
<br />
== Chapter event reports ==<br />
<br />
==== Belgium ====<br />
* How many participants: 80+<br />
* How long did the event last: 8 hours<br />
* Pictures: (to upload)<br />
* Presentations: on the chapter page<br />
* Answers to Panel's questions: <br />
<br />
==== London ====<br />
* How many participants: 15<br />
* How long did the event last: 2 1/2 hours<br />
* Pictures: (Ivan to upload)<br />
* Presentations: (pdp to upload)<br />
* Answers to Panel's questions: (Ivan to provide)<br />
<br />
====Washington DC ====<br />
* How many participants: 50<br />
* How long did the event last: 5 hours<br />
* Pictures: none<br />
* Presentations: Links above<br />
* Answers to Panel's questions: No time for a panel<br />
<br />
Special thanks to the Organizations that made the mini-conference possible. <br />
<br />
[http://www.honeyclient.org/trac/wiki MITRE HoneyClient project]<br />
<br />
[http://www.gt.com/ Grant Thornton LLC]<br />
<br />
[http://aspectsecurity Aspect Security]<br />
<br />
==== San Antonio ====<br />
* How many participants: 25<br />
* How long did the event last: 1 1/2 hours<br />
* Presentation: Bruce Jenkins "Developing an Application Security Strategy for Large Enterprise Systems" [http://www.owasp.org/index.php/Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]<br />
<br />
==== Turkey ====<br />
* How many participants: 10<br />
* How long did the event last: 3.5 hours<br />
* Pictures: (on Bunyamin)<br />
* Presentations: (look above)<br />
* Answers to Discussion questions: (look above)<br />
<br />
==== Israel ====<br />
* How many participants: 60<br />
* How long did the event last: 3 hours<br />
* Pictures: We seems to have no geeks with 2M phone cameras (and the leader forgot his :-()<br />
* Presentations: [http://www.owasp.org/index.php/8th_OWASP_IL_chapter_meeting Meeting program and presentations.]<br />
<br />
==== Italy ====<br />
* How many participants: nearly 110 (160 subscriptions)<br />
* How long did the event last: 4.5 hours<br />
* Pictures: <br />
* Presentations: [http://www.owasp.org/index.php/Italy#September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 here]<br />
<br />
==== Rochester ====<br />
* How many participants: 11<br />
* How long did the event last: 2 hours<br />
* Presentation: 2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]<br />
* Meeting Minutes: [[Media:2007-09-10_Rochester_OWASP-Meeting-Minutes.pdf|PDF]]<br />
<br />
==== Ottawa ====<br />
* How many participants: 10<br />
* How long did the event last: 2.5 hours<br />
* Presentation: What is Cardspace? By Christian Beauclair - Microsoft<br />
<br />
[[Media:Windows_CardSpace_for_OWASP.zip|PowerPoint]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=OWASP_Week_September_2007&diff=22282OWASP Week September 20072007-10-10T03:41:24Z<p>Medelibero: /* Presentations (links to) */</p>
<hr />
<div>This page will contain the outcome of the multiple OWASP Chapter events that will occur during during the week 5th Sep -> 12 Sep (see [[OWASP Day]])<br />
<br />
<br />
== Presentations (links to) ==<br />
<br />
<br />
==== Washington DC ====<br />
<br />
All presentations can be found at the link below. <br />
<br />
[[Washington_DC_LIVE-O]]<br />
<br />
==== Belgium ====<br />
<br />
===== Getting started with WebGoat & WebScarab (Erwin Geirnaert) =====<br />
Download [[:Image:OWASPDay2007Belgium_WebGoat-WebScarab.ppt|presentation]].<br />
<br />
In this tutorial you will learn how to use WebScarab to solve the lessons in WebGoat.<br />
<br />
Following points will be explained:<br />
* Configure WebScarab as a local proxy<br />
* Intercepte HTTP requests and responses<br />
* Modify HTTP requests to solve the lesson “Hidden field manipulation”<br />
* Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”<br />
* Use the session analysis tab in WebScarab<br />
* Use the web services tab in WebScarab<br />
* Use WebScarab to analyze Ajax XML messages<br />
<br />
'''!! Prerequisites:'''<br />
* Bring your own laptop with you! <br />
* Download [[OWASP_WebScarab_Project#Download|WebScarab]] onto your laptop<br />
* Download [[OWASP_WebGoat_Project#Download|WebGoat]] onto your laptop<br />
<br />
<br />
Erwin Geirnaert is CEO and co-founder of [http://www.zionsecurity.com ZION Security]. He is a renowned application security expert and has presented on various conferences like Javapolis, Eurostar, Owasp,… about web security. He is board member of OWASP Belux and actively involved in various OWASP projects like OWASP Java and OWASP WebGoat. Because of his technical experience he loves to do security testing, code review, reverse engineering,.. for Fortune 1000 companies in Europe. More information can be found on his LinkedIn profile: http://www.linkedin.com/in/erwingeirnaert.<br />
<br />
===== OWASP Evaluation and Certification Criteria Draft (Mark Curphey) =====<br />
Download [[:Image:OWASP_Day_-_Belgium_-_Curphey.pdf|presentation]].<br />
<br />
As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate. <br />
<br />
[http://securitybuddha.com/about/ Mark Curphey] ran Foundstone consulting from 2003 until late 2006 during which time the company was sold to McAfee. Before joining Foundstone Mark was the Director of Information Security at Charles Schwab (responsible for the software security program) and has also worked for ISS and several financial services companies in Europe. Mark has a Masters degree in information security from Royal Holloway, University of London and was the original founder of the Open Web Application Security Project (OWASP).<br />
<br />
===== Automated Web FOO or FUD? (David Kierznowski) =====<br />
Download [[:Image:OWASPDay2007-Belgium-dwk.ppt|presentation]].<br />
<br />
We take a look into automated web application testing technologies and their effectiveness against real life applications. <br />
<br />
Also, we look into one of GNUCITIZENs latest projects, The Technika Security Framework (TSF), which will enable users to automate security testing directly from their browser.<br />
<br />
[http://gnucitizen.org/about/dk David Kierznowski] currently works as a Senior Security Analyst for a leading penetration testing company in the UK. He has worked in the security industry for the past 6 years. David is also the founder of both [http://michaeldaw.org michaeldaw.org] and [http://blogsecurity.net blogsecurity.net] and is an active member of the [http://gnucitizen.org GNUCITIZEN] group.<br />
<br />
===== OWASP Pantera Unleashed (Simon Roses Femerling) =====<br />
Download [[:Image:OWASPDay2007Belgium_Pantera_Unleash.ppt|presentation]].<br />
<br />
The presentation will provide a glimpse into what Pantera can offer when performing blackbox web assessments. In the age of Web 2.0 we need powerful tools that provide us rich and accurate information and allows us to manipulate that information into our advantage, that's what Pantera is all about. <br />
<br />
Simon Roses Femerling is a Security Technologist at the [http://blogs.msdn.com/ace_team/ ACE Team] at Microsoft. Former PwC and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories. Simon is natural from wonderful Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.<br />
<br />
===== CLASP, SDL and Touchpoints Compared (Bart De Win) =====<br />
Presentation pending paper publication.<br />
<br />
Over the years, specific methodologies and techniques for secure software <br />
engineering have been proposed, yet dedicated processes have become available <br />
only recently. In this presentation, the highlights of an activity-driven <br />
comparison of three high-profile processes for the development of secure <br />
software are presented.<br />
<br />
Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.<br />
<br />
===== Threats of e-insecurity in Belgium and the Belgian response (Luc Beirens, FCCU) =====<br />
Download [[:Image:OWASP_Day_Belgium_FCCU_e-insecurity.pdf|presentation]].<br />
<br />
The presentation will give a short overview of the actual threats on the e-society in Belgium.<br />
How are public and private sector organized (or not) to tacle the different problems ?<br />
What are the tasks of the police within this framework ?<br />
<br />
Since 1991, chief superintendent Luc Beirens is engaged in computer forensics and cyber crime investigations. He is head of the Federal Computer Crime Unit of the Federal Police since 2001. Aside consulting his detectives in current cyber crime investigations, he is responsible for the reorganization, the equipment and the training of Belgian police services concerned with cyber crime investigations. As member of the European Working Party on Information Technology Crime (EWPITC) of Interpol since 1995 and the EUROPOL cyber crime expert group since 2001, he has cooperated in writing several documents concerning computer forensics and cyber crime investigations. He lectures in these fields at several police academies and universities.<br />
His is involved in several organizations and platforms that are concerned with e-security, ICT forensics and cyber crime combating. Before his detective career, he has worked from 1987 till 1995 as analyst and project manager on the development of the Police Information System of the Belgian Gendarmerie. He holds master degrees in criminology and information technology.<br />
<br />
===== For my next trick... hacking Web2.0 (pdp) =====<br />
Download [[:Image:OWASP_Day_Belgium_2007-pdp.ppt|presentation]].<br />
<br />
Web2.0, if I can summarize it with a few simple words, is all about communication, distribution, information, agents, clients and servers. Those who understand the 2.0 fundamentals have the power to manipulate the global Web to suit their needs - hackers, the new digital breed of the 2.0 world. Web2.0 hacking is a mean for communicating and distributing critical information in a better way. It can be used to build ghost infrastructures from where to launch attacks - anonymously, no traces, nothing. Web2.0 hacking is also about the thin line between client-side and server-side security. It is about the endpoints and the electronic highways. It is about reaching the masses and yet being able to perform attacks on specific targets. Web2.0 hacking is also about distribution and influence, covert channels, bots, IA, ghosts inside the electronic frame. Web2.0 hacking is also a movement, a cyber subculture where individuals show their technical abilities, and understandings of the world and use that to manipulate their way through the system.<br />
<br />
Web2.0 hacking practices should never be related to AJAX and JavaScript exploitation techniques only. Although it is true that client-side security has a significant part of the Web2.0 ecosystem, it is important to realize its role. There are far too many other aspects that we need to look into. My aim is to cover these aspects and reveal the hidden dangers.<br />
<br />
[http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), is the founder and leading contributer of the [http://gnucitizen.org GNUCITIZEN] group. He is a senior IT security consultant based in London, UK. His day-to-day work involves identifying vulnerabilities, building attack strategies and creating attack tools and penetration testing infrastructures. Petko is known in the underground circles as pdp or architect but his name is well known in the IT security industry for his strong technical background and creative thinking. He has been working for some of the world's top companies, providing consultancy on the latest security vulnerabilities and attack technologies.<br />
<br />
==== San Antonio ====<br />
<br />
Here is the Bruce Jenkins presentation on Developing an Application Security Strategy for Large Enterprise Systems:<br />
[http://www.owasp.org/index.php/Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]<br />
<br />
==== Israel ====<br />
<br />
'''OWASP IL 8th meeting at the OWASP week''' - '''[http://www.owasp.org/index.php/8th_OWASP_IL_chapter_meeting Meeting program and presentations.]'''<br />
<br />
<br />
==== Turkey ====<br />
<br />
'''Introduction'''<br />
<br />
* [https://www.owasp.org/images/6/66/OWASP_DAY_TR.sub.ppt Turkish Subtitle] by Bedirhan Urgun (delete .ppt extension) for [http://www.owasp.org/downloads/OWASP_Day.wmv Jeff Williams's OWASP Day Intro movie] <br />
<br />
''' Privacy in Governmental Insitutions - A Current State Analysis'''<br />
<br />
* [https://www.owasp.org/images/b/bc/OWASP2007_KamudaPrivacy.ppt OWASP2007_KamudaPrivacy.ppt]<br />
<br />
Presentation discusses the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues. Getting off with general privacy problems, in specific, information about the privacy issues related to web applications is given. Moreover, concrete suggestions on providing a solid privacy in these institutions are presented.<br />
<br />
Hayrettin BAHŞİ<br />
Chief Researcher CC Lab-UEKAE TUBITAK<br />
<br />
''' Secure Web Application Development '''<br />
* [https://www.owasp.org/images/4/4b/Guvenli_Web_Uygulamalarinin_Gelistirilmesi2.ppt Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt] <br />
<br />
Presentation points out the vitality of security phases and touchpoints in SDLC, web applications' in specific. It goes over the principles, patterns, threat modeling as well as other important factors that comprise specification, development, testing phases of a secure application process. <br />
<br />
Korhan GÜRLER Chief Researcher PRO-G<br />
<br />
'''Discussion'''<br />
<br />
Answers to Panel questions can be found at [http://www.owasp.org/index.php/Turkey] under the title of Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)<br />
<br />
==== Italy ====<br />
All presentations can be found [http://www.owasp.org/index.php/Italy#September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 here]<br />
<br />
==== Rochester ====<br />
<br />
2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]<br />
<br />
Abstract: Web application security vulnerabilities remain by the far the most frequently reported vulnerability category. In spite of wide spread use, and very frequent vulnerabilities, most web applications are still not being securely developed and deployed. The presentation will demonstrate why experts estimate the percentage of vulnerable web application range from 75% to 99% and review the 2007 OWASP top 10 web applications security vulnerabilities.<br />
<br />
==== Ottawa ====<br />
<br />
* Presentation: What is Cardspace? By Christian Beauclair - Microsoft<br />
<br />
The impact of phishing and other forms of online identity phraud has grown enormously in the last few years. Today, people are starting to curb their activities online due to fears of phishing and phraud and because they just can’t be bothered to fight through today’s online authentication systems such as multiple usernames and passwords, Captcha control and OTP tokens. In this session we’ll explore some of the core issues facing our identities online and then discuss how technologies such as Windows CardSpace enable users to authenticate and/or present personal information more easily and safely to sites that they know are legitimate.<br />
<br />
== Seattle ==<br />
All presentations can be found [https://www.owasp.org/index.php/Seattle#Last_Event_06_Sep_.28Thurs.29 here].<br />
<br />
== Pictures (links to) ==<br />
<br />
<br />
== Chapter event reports ==<br />
<br />
==== Belgium ====<br />
* How many participants: 80+<br />
* How long did the event last: 8 hours<br />
* Pictures: (to upload)<br />
* Presentations: on the chapter page<br />
* Answers to Panel's questions: <br />
<br />
==== London ====<br />
* How many participants: 15<br />
* How long did the event last: 2 1/2 hours<br />
* Pictures: (Ivan to upload)<br />
* Presentations: (pdp to upload)<br />
* Answers to Panel's questions: (Ivan to provide)<br />
<br />
====Washington DC ====<br />
* How many participants: 50<br />
* How long did the event last: 5 hours<br />
* Pictures: none<br />
* Presentations: Links above<br />
* Answers to Panel's questions: No time for a panel<br />
<br />
Special thanks to the Organizations that made the mini-conference possible. <br />
<br />
[http://www.honeyclient.org/trac/wiki MITRE HoneyClient project]<br />
<br />
[http://www.gt.com/ Grant Thornton LLC]<br />
<br />
[http://aspectsecurity Aspect Security]<br />
<br />
==== San Antonio ====<br />
* How many participants: 25<br />
* How long did the event last: 1 1/2 hours<br />
* Presentation: Bruce Jenkins "Developing an Application Security Strategy for Large Enterprise Systems" [http://www.owasp.org/index.php/Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]<br />
<br />
==== Turkey ====<br />
* How many participants: 10<br />
* How long did the event last: 3.5 hours<br />
* Pictures: (on Bunyamin)<br />
* Presentations: (look above)<br />
* Answers to Discussion questions: (look above)<br />
<br />
==== Israel ====<br />
* How many participants: 60<br />
* How long did the event last: 3 hours<br />
* Pictures: We seems to have no geeks with 2M phone cameras (and the leader forgot his :-()<br />
* Presentations: [http://www.owasp.org/index.php/8th_OWASP_IL_chapter_meeting Meeting program and presentations.]<br />
<br />
==== Italy ====<br />
* How many participants: nearly 110 (160 subscriptions)<br />
* How long did the event last: 4.5 hours<br />
* Pictures: <br />
* Presentations: [http://www.owasp.org/index.php/Italy#September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 here]<br />
<br />
==== Rochester ====<br />
* How many participants: 11<br />
* How long did the event last: 2 hours<br />
* Presentation: 2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]<br />
* Meeting Minutes: [[Media:2007-09-10_Rochester_OWASP-Meeting-Minutes.pdf|PDF]]<br />
<br />
==== Ottawa ====<br />
* How many participants: 10<br />
* How long did the event last: 2.5 hours<br />
* Presentation: What is Cardspace? By Christian Beauclair - Microsoft<br />
<br />
[[Media:Windows_CardSpace_for_OWASP.zip|PowerPoint]]</div>Medeliberohttps://wiki.owasp.org/index.php?title=Seattle&diff=22175Seattle2007-10-05T13:18:02Z<p>Medelibero: /* Next Event 06 Sep (Thurs) */</p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leaders are [mailto:mikede@mde-dev.com Mike de Libero] and [mailto:scott@isecpartners.com Scott Stender] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
== Last Event 06 Sep (Thurs) ==<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
== Past Events ==<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
== Past Meetings ==<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!</div>Medeliberohttps://wiki.owasp.org/index.php?title=File:Web_Hacking_101.pdf&diff=22174File:Web Hacking 101.pdf2007-10-05T13:15:55Z<p>Medelibero: Damon Cortesi's slides from his presentation given at the OWASP Seattle chapter meeting in September 2007.</p>
<hr />
<div>Damon Cortesi's slides from his presentation given at the OWASP Seattle chapter meeting in September 2007.</div>Medelibero