This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Washington DC

Jump to: navigation, search

OWASP Washington DC

Welcome to the Washington DC chapter homepage. The chapter leaders are Emily Verwee, Andrew Weidenhamer and Bryan Batty.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

Next Meeting - The Groovy Landscape & Grails Security 6:30PM Thursday, July 10th UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC

Everyone is welcome to join us at our chapter meetings.

Welcome to the Home Page of the Washington DC OWASP Chapter.

  • You can follow us on Twitter as @OWASPDC
  • Our recent meetings are documented on the News & Meetings tab.

Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.

Next Meeting - The Groovy Landscape & Grails Security

The next meeting will be on Thursday, July 10, 2014 from 6:30 PM to 8:30 PM (EDT) at

Location: UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC

Please RSVP for the event here:

Presentation Overview: 1st Talk - "The Groovy Landscape"

This talk is geared to those who are new to Groovy and the goal is to put the Groovy language in is proper context. We will try to answer the following questions:

What are the properties of the language? When and why was it developed? Who is using it and who maintains it? Where can I use it? How do I get started or contribute to development?

2nd Talk - "Grails Security"

Grails is a framework developed for Groovy in the vein of Rails for Ruby. It provides a lot of features for web app security, but does it do enough? What might you need to implement yourself, and what might be provided? This presentation will discuss tips on securing Grails applications, including tools that the framework provides by default for security. It'll also discuss several shortcomings in the current toolset, and how you can avoid them.

Speaker: David James - David is a software developer and consultant who helps enterprise clients deliver software that makes a business impact. He has been developing applications on the JVM for fifteen years and leverages Groovy on a daily basis. David is involved in the Arlington coworking community and is the founder of the DC Groovy user group.

Cyrus Malekpour - Cyrus (@cmalekpour) is a software developer at nVisium, working on web app development and security. He's currently an undergraduate student at the University of Virginia, where he's studying computer science with an emphasis on security and backend development. Most of his passion is in designing and developing secure applications, but he also has an interest in breaking into things. In his free time, he likes to read, watch movies, and cycle.

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the Mailing List.

You can follow us on Twitter as @OWASPDC <twitter>23609877</twitter>

Archives from earlier meetings than contained on this page can be found in the Washington_DC Archives

May 2014 Meeting

Presentation Overview: As mobile dating applications grow in popularity, so does our interest in the security posture behind them. There are a vast number of mobile dating applications available for use today by anyone with a smart phone. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly.

We will cover popular features such as location-based services, analytics, sharing of information, in-app purchasing, and any other features we discover to be interesting. We will analyze the type of personal data being stored within these applications, communication channels used to transmit information, hardware interaction with the application, and interaction with other applications on the device. We will answer the big questions posed by those who use these apps or want to use these apps: Are these applications disclosing sensitive information? How private is the communication between me and another user? How can I be sure my data is being protected?

This talk will feature highlights from popular, obscure, and scary dating applications to answer a simple question: “Can you find love on the Internet without having your personal data exposed?”

Speaker: Jack Mannino is an Application Security expert with over a decade of experience building, breaking, and securing into complex systems. Jack is Co-Founder and CEO of nVisium, while also leading research and development initiatives. With experience developing in Java, Objective-C, and C#, he performs risk assessments and penetration tests for Fortune 500 companies and government agencies. Jack also founded and leads the OWASP Mobile Application Security Project, which is a global initiative to build secure development standards for mobile. He is an active Android security researcher with a keen interest in large-scale security analysis.

Abdullah Munawar is an Application Security consultant at nVisium who specializes in mobile application testing and ripping apart new things. With over 7 years of experience, Abdullah previously worked on the security teams at financial and aviation organizations. Abdullah attempts humor on a daily basis and succeeds most of the time, every time.

March 2014 Meeting

Presentation Overview: How is identity and access management (IAM) implemented in your in-house applications? Do the developers who implement it have IAM expertise? Does every team implement their own IAM? Enterprise framework development teams with IAM expertise can address the problem by creating APIs that enable developers without IAM expertise to implement the IAM correctly. This presentation explains what an enterprise identity API is, why it's worthwhile to create one and how it might be done.

Speaker: Adam Migus (@amigus) - Adam currently works as an IT architect helping his clients devise and execute technology strategy. Prior to that he was a Principal Security Architect at E*TRADE Financial where he created APIs as a means to improve software security. Adam believes that software quality is critical to software security and that many application security concerns can be addressed through enterprise APIs. He's also held positions at McAfee and Symantec. He earned his B.Sc. in Computer Science from Memorial University of Newfoundland, where he also started his career in earnest as a network administrator.

February 2014 Meeting

Presentation Overview: Bojan Simic will provide a short background into Bitcoin and how it works. He will then provide some of his firsthand experiences with the state of Bitcoin businesses with regard to security and how many individuals are (insecurely) handling their Bitcoins. These experiences will demonstrate some "hacks" that pertain to the OWASP Top 10 as well as other types of vulnerabilities. The talk will include an overview of simple security steps that individuals and businesses who are working with Bitcoin should take to in order to mitigate the chance of hackers stealing Bitcoin and Personally Identifiable Information (PII) from them and their customers.

Speaker: Bojan is a security engineer in the industry as well as the founder and main contributor to the Bitcoin Security Project ( The project is a free and open source resource that is dedicated to spreading security awareness across the Bitcoin community by helping individual bitcoin holders and businesses follow security best practices. These practices ensure better security of individual holders' investments and Bitcoin business customers.

Professionally, Bojan has performed hundreds of penetration tests, threat modeling, and security code reviews of different applications. These reviews identify vulnerabilities associated with software, the network software, and infrastructure they are deployed on. He also performs research in the field of web application security and teaches developer training on web application best practices, architecture, and security.

January 2014 Meeting

Summary: This talk will include how organizations build AppSec programs, how to gain Executive and organizational-wide acceptance to your AppSec program and the current trends within the application security industry.

If you have a specific question you would like discussed please just send Rinaldi or Mike McCabe an email and they will try to incorporate it into the talk.

Let's help each other start off 2014 strong in implementing your AppSec goals/resolutions! We understand you may have an unique environment but there are common themes between disparate environments. We can learn from the those themes and you can take them to your place of development and apply them accordingly. This discussion will be appealing to developers, project/program managers, application security leads and security professionals.

""Bios"": We are going to kick-off the year in a panel format with experts in the industry from the DC area. The panel will include:

• Lee Aber, Director, Information Security at Opower • Kevin Greene, Software Assurance Program Manager at DHS S&T • Rich Ronston, Director, Security at Deltek • Jack Mannino, Chief Security Officer at nVisium & OWASP NoVA Lead [Moderator]

July 2012 Meeting

Topic: OWASP Top Ten Tools and Tactics

Abstract: If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.

Bio: Russ McRee is a senior security analyst, researcher, and founder of, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).

8:15-9:15 Speaker: Kevin Johnson

Topic: Ninja Assessments: Stealth Security Testing for Organizations

Abstract: Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.

Bio: Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.

May 2012 Meeting

Speaker: Rohit Sethi, Vice President, Product Development, SD Elements

Topic: Is There An End to Testing Ourselves Secure?

Abstract: Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance.

This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.

Points of discussion include:

· Is static analysis sufficient? · Developer awareness training · Threat modeling / architecture analysis · Secure requirements · Considerations for procured applications

Bio: Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

Register for the meeting at

March 2012 Meeting

March 15th at 6:30-7:30pm at LivingSocial's 1445 New York Ave NW office location on the first floor at the @hungryacademy.

Please RSVP for the event here:

Speaker: Alissa Torres

Topic: Application Footprinting

Abstract: Application footprinting is a great skill for forensic examiners (and anyone interested in binary research) because it allows you to marry artifacts in the registry/file creation/time/date stamps with specific applications or user initiated events. Eventually, during the course of an investigation, an examiner is going to run into a "new" problem - one that hasn't previously been experienced/researched by others in the field. Application footprinting is a simple method that examines the interaction of a program with the operating system. The process of footprinting will determine if the application was installed on the system being investigated, what trace evidence exists and how that can be mined. This presentation will include a demo of Active Registry Monitor and its use in tracking changes made to the Windows Registry by an open source ssh client.

Bio: Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.

December 2011 Meeting

The December 21st meeting was held at 1445 New York Ave NW (Living Social) in Washington DC.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.

  • Please Register for the meeting. This helps us get a head count for food and beverages
  • Ken Johnson and (maybe) Chris Gates will speak on the New Features in the Web Exploitation Framework (wXf)
  • Doug Wilson and Mark Bristow will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an Important Announcement for 2012. Don't miss it!

Location Info Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.

About our Speakers

Ken Johnson
Ken Johnson is a Senior Security Architect for responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty

Chris Gates
Abstract: Updates in wXf - Coming Soon

Our September Meeting was September 29th 6:30pm at 2445 M Street NW Washington, DC 20037


  • John Steven will speak on Assessing your Assessment Practice
  • Krystal Moon and Quang Pham will speak on DHS Software Assurance Pocket Guides
  • Doug Wilson and Mark Bristow will update on current and upcoming events.

About our Speakers

John Steven
John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

Abstract: Assessing your Assessment Practice - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?
In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.
Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.

Krystal Moon
Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.
Quang Pham
Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.

Abstract: Software Assurance Pocket Guides - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.
Secure Coding
Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.
Architecture and Design Considerations for Secure Software
The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.

Facility Sponsor: Anonymous      Refreshment Sponsor: BlueCanopySponsoLogo.jpg       

August 2011 Meeting

Our next meeting is August 24th at 1445 New York Ave NW (Living Social) in Washington DC.

Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.

  • Please REGISTER HERE if you are going to attend so we have an accurate head count.
  • Julian Cohen will speak on Cross-Origin Resource Inclusion in HTML5
  • Doug Wilson & Mark Bristow will update on current and upcoming events.

About our Speaker

Julian Cohen
Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.
Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.
Cross-Origin Resource Inclusion in HTML5 - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.

Facility Sponsor: Living Social      Refreshment Sponsor: Living Social  Stratum Security

July 2011 Meeting

Our next meeting is July 21st 6:00pm 2445 M Street NW Washington, DC 20037 (*NOTE NEW LOCATION*)

  • Please Register Here
  • Jack Mannino will speak on Building Secure Android Applications
  • Doug Wilson & Mark Bristow will update on current and upcoming events.

NEW LOCATION Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room

About our Speakers

Jack Mannino
Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
Building Secure Android Applications - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.

Facility Sponsor: Anonymous      Refreshment Sponsor: Securicon.gif       

March 2010 Meeting

  • Jeff Ennis from Veracode will be presenting on Application Risk Management
  • Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
  • Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
  • Doug Wilson will update on plans for future meetings and upcoming events.

About our Speakers

Jeff Ennis

Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
Application Risk Management - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.

Dan Philpott

Dan is the maintainer of, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.

Chuck Willis

Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.

December 2009 Meeting

  • Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
  • We will be recapping and discussing AppSecDC and the OWASP Summit
  • We will discuss other recent events such as the DHS Software Assurance Forum Conference
  • We will be talking about the coming year and upcoming events
  • We will open up the floor for discussion of current events or concerns.

Addition to Agenda

Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.

September 2009 Meeting

XAB -- The Abstract:

Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.

XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.

During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.

About our speakers:

Matthew Flick, Principal FYRM Associates

Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.

Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.

Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.

Jeff Yestrumskas Sr. Manager InfoSec @ Cvent

Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.

August 2009 Meeting

About our speakers:

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
Vulnerability Management in an Application Security World
This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
Michael Smith is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at and covers security management, public policy, regulations and laws, and technical solutions.
SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.

April Meeting Debrief

We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.

Our big announcement of the meeting was that we are kicking off the Call for Papers for AppSec DC 2009, slated for November 10-13 at the DC Convention Center.

We'd also like to thank:

  • George Washington University and their great staff for the meeting space and A/V support
  • Securicon and Mark Bristow for arranging refreshements.

We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our mailing list!

April 22nd 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at 2201 G St. NW Washington, DC 20037

This month, we will have Jon Rose speaking about Flash Remoting and Deblaze.

Deblaze - A remote method enumeration tool for flex servers.
Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.
This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.
The latest version can be found at

Doug Wilson will also discuss the recent OWASP Software Assurance Day that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.

We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.

You can RSVP for the event on

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

February 5th 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting is in Duques Hall, Room 553, which is located at 2201 G St. NW Washington, DC 20037

This month's agenda:

  • 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
  • 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
  • 7:45 - 8:00 Break
  • 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra

You can RSVP for the event on

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

December Meeting Debrief

I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday. I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly demonstrated some of the great up and coming tools that are available to the community. As promised, I uploaded the PDF of the presentationto the Wiki, but the slides don't do the commentary justice. It can be found here.

We also took care of some housekeeping stuff:

  • We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
  • The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  • Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
  • Our next chapter meeting will be held in Feburary, topics TBD but we are soliciting speakers.

To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.

December 10th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Presentation by Kevin Johnson, InGuardians
  • Round table Discussion of Portugal Summit
  • Open discussion

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.

Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.

You can RSVP to the event on

October 15th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Adam Vincent, Hacking and Hardening Web Services
  • Doug Wilson, Report on AppSec NYC 2008
  • Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.

The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware.

In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.

In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.

The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.

<paypal>Washington DC</paypal>

September Meeting:

Facility Sponsor: UberOffices      Refreshment Sponsor: Still Open!