Kansas City August 2010 Meeting

Upcoming Meetings

Thanks to Steve Jensen for presenting at the KC-OWASP meeting on August 26.

Date: August 26, 2010 7:00 PM - 9:00 PM

Location: Johnson County Community College (JCCC), Room 175 in the Regnier Center.

Topic: Mobile Device Software Security and Testing

Agenda:

Topic: Mobile Device Software Security and Testing Presentation Introduction: - Why we care about these devices? - How enterprises are using these devices. - Personal data stored on these devices. - What we can do depends on the functionality implemented on the device - More and more apps are found to be malicious in some way.

iPhone: - What does "jailbreaking" actually do? - Installing SSH through Cydia. - Using WinSCP to view the underlying filesystem. - Files on the file system (sqlite databases, etc.) - Proxying WiFi traffic for request/response analysis & manipulation. - Proxying 3G traffic through a VPN connection running on a linux VM (currently researching and setting up). - Where are applications located on the device? - Extracting the applications off the phone for further analysis. - How to get at the application via iTunes if the iPhone is not jailbroken.

Android: - Rooting the device (not a hands on demonstration as this is version dependent). - Setting up SSH on the device. - Using WinScp to view underlying filesystem - Proxying 3G traffic through a VPN connection running on a linux VM (currently researching and setting up). - Where are the applications located on the device? - Extracting the applications off of the phone. - Unpackaging the applications. - Decompiling the applications to gain a better understanding of what they are doing.

Slides:

August 2010 Slide Deck in pdf format

Speaker:

 Steve Jensen, BT Global Services

Stephen Jensen has been performing web application security assessments for over 7 years. With a background as a software developer, it was his experiences within the software industry that led him to shift his focus more towards the security aspect of software. Stephen is an advocate of the SDLC (Security Development Lifecycle) development process, which attempts to include security as a primary objective within the requirements phase of the software development lifecycle, as well as throughout the entire development process.

Software and application security topics are open

Attendance of OWASP meetings is free and anyone interested in web application security is welcome to attend. Pass on this meeting announcement to anyone else that would benefit from joining us.

Please note:

• Attendance at an OWASP chapter meeting is free and open to anyone interested in web application security
• No registration is required, although RSVPs to the chapter leader are appreciated
• Professionals with CISSPs, or other certifications, can earn CPE credits by attending

We meet at least once a quarter to discuss application security. If you have an interesting topic you'd like to present or discuss at future meetings, please send an email to caughron[at]gmail com. Or, get a discussion going by posting a message to our mailing list.