Los Angeles/2013 Meetings

**December 18, 2013, Holiday Networking Party at Daily Grill - Downtown LA

Network with your OWASP peers as we celebrate the holidays and the end of a great year for our Los Angeles Chapter. **Free food and drinks.

**November 6, 2013, Symantec Offices, Culver City

Whiz, Bang, ZAP! An introduction to OWASP's Zed Attack Proxy

The OWASP Zed Attack Proxy (ZAP) is "an easy to use integrated penetration testing tool for finding vulnerabilities in web applications." The technology is comparable to IBM AppScan and HP WebInspect - but free, open source and maintained by OWASP volunteers. The project has seen a tremendous amount of development lately. Learn about the tool, what it can do for you, and optionally bring your laptop to follow along as we use it to test some (purposefully insecure) web applications.

Speaker: Ben Walther

Ben Walther is a security engineer, with a background consulting and teaching for Symantec, Cigital, and within higher education. He is the co-author of the Web Security Testing Cookbook and an active contributor to OWASP projects.

**October 2013 OWASP Monthly Meeting - re-scheduled to November meeting.

September 18, 2013, OWASP-ISSA Joint Meeting, The Olympic Collection Banquet & Conference Center, West Los Angeles, CA

Demonstration of Common Web Vulnerabilities using WebGoat.NET

Developers cannot defend against unknown threats. Understanding vulnerabilities and security controls is an absolute necessity – not only for developers, but for Architects, QA and anyone else involved in the creation of software. This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.

Speaker: Jerry Hoff, Whitehat Security, VP, Static Code Analysis Division; Managing Partner / Co-Founder

Jerry Hoff is Whitehat Security, VP, Static Code Analysis Division; Managing Partner / Co-Founder, INFRARED SECURITY; Former Developer Security Consulting & FTE Across The Board; Over 10,000 Hours Delivering Technical Training; MS In Computer Science, Washington University

August 28, 2013, Symantec Offices, Culver City

Layer 7 DDos Attacks

In this talk we will examine different DoS attack techniques used against cloud services. Many attacks discussed in the presentation target the application layer of the service, are highly efficient and asymmetric. In some cases, a single HTTP request of less than 50 bytes is sufficient to knock out a server until reboot. In addition to describing the attacks, we will also investigate the application design issues that lead to vulnerability, and demonstrate coding fixes as well as cloud based defenses that can be used to mitigate the problem.

Speaker: Cassio Goldschmidt is a former president of the OWASP Los Angeles Chapter

July 24 2013, Symantec Offices, Culver City

Security of Mobile Ad Hoc and Wireless Sensor Networks

Speaker: Edward Bonver

Edward Bonver, CISSP, CSSLP Senior Principal Software Engineer Product Security Team, Office of the CTO Symantec Corporation

June 26 2013, Symantec Offices, Culver City

I know where you live, I know what you like, I know your email password, and I know your MEID. Why? Because you told me, and you will tell me again in 5 minutes. You are the loudest guy in the room, and your mobile in your pocket is betraying you. I will be talking about the inherit vulnerabilities in mobile devices and how an attacker can exploit them easily. I will show you live demos of exploits and show you how to protect yourself.... if you can.

Speaker: Nicholas Lennox

Name: Nick #UNRESOLVED QUERY ERROR#

Twitter: @MrB0t

IP: 65.196.127.225 located in Arlington, United State // Probably VPN Coordinates: Thirty-eight degrees fifty-seven minutes six point five seconds north, seventy-seven degrees eight minutes forty-four seconds west

Country: United States

City: Langley

May 29 2013, Symantec Offices, Culver City

Cloud Computing – Security and Interoperability Perspectives

Many organizations are evaluating and migrating toward cloud computing solutions. In 2013, some the key challenges pertain to security and interoperability. Open cloud standards can help manage risks, while fostering efficient solution delivery.

Steven Woodward shares updates from numerous international cloud standards related organizations. In Canada, he leads several of the cloud computing initiatives in both the private and public sectors. This includes being one of the founding board members of the Cloud Security Alliance Canadian Chapter.

Steven describes key cloud ecosystems models; highlighting where security considerations fit, along with different perspectives on interoperability. Several real-life scenarios will be used, highlighting cloud concepts, security, interoperability and the impacts these can have on commitments (functionality, costs, time-to-value and quality). Service Agreements and Service Level Agreements will also be addressed to identify where you may find security and interoperability considerations specified in the contracts.

The presentation is designed to be interactive and will include some group activities to generate discussions and identify practical solutions.

Attendees of the presentation will leave with a better understanding of cloud security and interoperability considerations, plus be aware of reference material and models that help address those challenges.

Speaker: Steven Woodward

Steven Woodward is CEO and founder of Cloud Perspectives and is the Canadian Cloud Council Director of Cloud Governance. He was recently announced as the Chief Cloud Officer for “the Politburo”, a new innovative cloud provider based in Canada. He is a leading contributor to the National Institute of Standards for Technology (NIST), TM Forum, Object Management Group Cloud Standards Customer Council and the International Telecommunication Union (ITU) Joint Collaboration Activity cloud computing working groups.

Steven represents the Canadian Advanced Technology Alliance at the Shared Services Canada Architecture Advisory Committee and is helping define the Canadian Federal Government Cloud Computing Strategy. In addition to cloud standards and best practices guides, he authored the “Cloud Measurement” chapter in the 2012 CRC Press published book, “The IFPUG Guide to IT and Software Measurement.” In 2010 he was elected to the International Function Point Users Group (IFPUG) board of directors, where he is responsible for conferences and formed a, IFPUG metrics cloud computing community.

A frequent international instructor, presenter and leader, he continues fostering cloud collaboration in the industry and academia. From Los Angeles, he is travelling to Maui as keynote at the IEEE System of Systems Engineering conference.

April 24 2013, Symantec Offices, Culver City

Tales from the Crypt(o): Lessons About Secrecy from Julius Caesar to Moxie Merlinspike

Speaker#1: Tin Zaw

Tin Zaw is the former president of OWASP Los Angeles Chapter.

Speaker#2: Albert Tu

Honeypots along side IT security operations

Honeypots commonly take a strategic backseat to IT security operations. This has not stopped community based security professionals and enthusiasts to harness the advantages of the honeypot to form world wide networks capturing and sourcing malicious behavior. Communities that have become vendors found opportunity in higher quality IP lists as well providing deep expertise to provide solutions to anti-fraud behavior. The combination is always worth consideration if you are a customer.

Speaker#2: Albert Tu

Albert Tu is an information security professional at Farmers Insurance Exchange. His background is in vulnerability and risk management with a good amount of programming. He has a passion for solving problems of all sorts.

March 20 2013, Joint meeting with ISSA, Monterey Park

Securing Mobile Apps for the Enterprise

Securing Mobile Apps – that’s the big discussion today. The last couple of years enterprises have been attempting to meet this requirement by deploying client-intensive MDMs (Mobile Device Managers). This has left the apps being utilized by partners, suppliers and customers – completely unprotected. How do we meet the challenge of applying security authentication standards to these un-managed devices. This is what will be discussed/demo’d.

Speaker: Garret Grajek

Garret Grajek is a CISSP-certified security engineer with more than 20 years of experience in the information security and authentication space. As Chief Technical Officer and Chief Operating Officer for SecureAuth Corporation, Garret is responsible for the strategic direction of the company’s Identity Enforcement product offerings.

February 20 2013, Symantec Offices, Culver City

Secure Password Storage Practices

(or Why "Hashing + Salting != Secure Passwords")

Many web applications require passwords that are hard for users to remember, cumbersome to type, yet easy for hackers to crack. With affordable, lightning-fast hardware aiding hackers, we have recently seen a number of large organizations in the news for user-password security failures. Join us as we discuss common attacks on password lists/tables as well as some password storage practices that can make any cracking attempts not worth the attackers’ time.

Speaker: iMan Louis

iMan is a Senior Consultant with Cigital Inc., where he conducts security code reviews, ethical hacking, and web application security assessments for some of the largest global corporations. He has also developed courseware for Cigital's Defensive Programming course series and delivered instructor-led training for many years. He brings 12 years of experience in software development and application security. iMan has recently moved from San Francisco to the Greater L.A. area and is looking forward to being an active member of our L.A. OWASP chapter.

January 23 2013, Symantec Offices, Culver City

Top Ten Web Defenses

We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Website developers must learn to code in a secure fashion to have any chance of providing organizations with proper defenses in the current threat-scape. The session will provide specific tips and guidelines to make website code both low risk and less vulnerable.

Speaker: Jim Manico

Jim is the VP of Security Architecture for WhiteHat Security. Jim is also the host of the OWASP Podcast Series, is the committee chair of the OWASP Connections Committee, is the project manager of the OWASP Cheatsheet series, and is a significant contributor to several additional OWASP projects. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Security and others. He brings 16 years of database-driven Web software development and analysis experience to WhiteHat and OWASP as well. Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.