Boulderchaptermeetings2007.html - Revision history

Andylew: /* '''''September Meeting Notes''''' - Jeremiah Grossman - Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company */

2008-04-01T02:56:33Z

‎'''''September Meeting Notes''''' - Jeremiah Grossman - Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company

Andylew at 23:02, 18 March 2008

2008-03-18T23:02:14Z

Andylew at 23:01, 18 March 2008

2008-03-18T23:01:15Z

Andylew: /* Notes From Previous Meetings */

2008-03-18T22:55:53Z

‎Notes From Previous Meetings

Andylew at 22:54, 18 March 2008

2008-03-18T22:54:00Z

Andylew: New page: == Notes From Boulder OWASP 2007 Meetings == === '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) === '''Security and AOP...

2008-03-18T22:50:59Z

New page: == Notes From Boulder OWASP 2007 Meetings == === '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) === '''Security and AOP...

New page

== Notes From Boulder OWASP 2007 Meetings ==

=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===
'''Security and AOP (Aspect Oriented Programming)'''

Many thanks to [http://www.cexp.com Corporate Express] for providing the facilities, to [http://www.coalfiresystems.com Coalfire Systems] for providing dinner, and to [http://www.fortifysoftware.com/ Fortify Software] for providing the speaker!

Speaker: Patrick White, Program Manager for .[http://www.fortifysoftware.com/ Fortify Software].

Topic: Security and AOP

Aspect Oriented Programming is an incredibly interesting methodology that has gradually gained popularity over the years. As interesting as the concepts are, they are often admittedly difficult to actualize. In this talk Patrick will be examining what AOP is and how it can make a real and meaningful impact during your development. In addition, he'll look at how powerful security features can be added to an application using AOP either in sync or out sync with development.

Bio: Patrick White is a Program Manager at Fortify Software. He holds a BS in Computer Engineering and Computer Science from the University of Southern California and has earned numerous Microsoft certifications including MCSE, MCSD, and MCPD. He previously worked for several Bay Area startups and was at Microsoft before joining the Fortify Software team.

Patrick's presentation can be found here:
https://www.owasp.org/images/2/27/SecurityAndAOPII_FortifySoftware20071115.pdf
'''''Yeah, sometimes it's OK to bolt on security after the fact...'''''

=== '''''September Meeting Notes''''' - Jeremiah Grossman - Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company ===
'''First Boulder OWASP Meeting was held September 20th, 2007'''
Jeremiah's presentation was OUTSTANDING and MUCH APPRECIATED. Jeremiah kindly allowed it to be posted here:

https://www.owasp.org/images/f/f8/OWASP_Boulder_09202007.pdf

MANY THANKS to Whitehat Security[http://www.whitehatsec.com], Corporate Express[http://www.cexp.com/], Business Partner Solutions[http://www.businesspartnersolutions.com/], and all who attended for making this a success!

There was also a brief discussion about integrating security into the SDLC. Here's a link for a GREAT presentation done by Michael Walters. Note the diagrams on slide 13:

http://www.squadco.com/presentations/OWASP_Denver.pdf

Also, if your QA team isn't aware of SQuAD (the Software Quality Association of Denver) you may want to point them to www.squadco.com as a resource.

'''''September Meeting'''''
'''First Boulder OWASP Meeting to be held September 20th, 2007'''

Site:
'''Corporate Express US Headquarters'''
[http://www.cexp.com/]
1 Environmental Way
Broomfield, CO 80021

Time: Dinner and beverages will be available starting at 6 PM, compliments of [http://www.businesspartnersolutions.com/ Business Partner Solutions]. Presentation will start at 6:30.

Speaker: Jeremiah Grossman, CTO of [http://www.whitehatsec.com WhiteHat Security].

Topic: Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company

To date, information security has been focused mainly on vulnerabilities at the network and software (OS, web server, etc.) levels. However, a new battleground is quickly developing that poses an even greater threat to companies’ brands/reputations and data. As companies drive more and more business processes to the web, vulnerabilities in their custom Web applications have become the new target for a new class of hackers. And the payoff is now financial gain, not personal notoriety.

Jeremiah Grossman will:
– Reveal the top 10 attacks of 2006 by creativity and scope
– Predict what these attacks mean for website vulnerability management in 2007
– Present strategies to protect your corporate websites

Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

@@ Line 56: / Line 56: @@
 Bio:  Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!
-== Local News ==
+== Local News 2007 ==
   '''XSS defense - the "dimuitive worm contest"'''

← Older revision		Revision as of 22:55, 18 March 2008
Line 1:		Line 1:
−	== Notes From ~~Previous~~ Meetings ==	+	== Notes From Boulder OWASP 2007 Meetings ==
−
−	~~=== '''''February 2008 Meeting Notes - Michael Sutton - SQL Injection''''' ===~~
−	~~The sponsor was HP, and the speaker was Michael Sutton of [https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201_4000_100__ HP/SPI Dynamics]. Topics included:~~
−
−	~~1. Data tampering via SQL injection (verbose and blind)~~
−
−	~~2. Guidance regarding WHAT TO DO and WHAT RESOURCES ARE AVAILABLE for input validation (aka data validation).~~
−
−	~~3. SQL injection against AJAX~~
−
−	~~4. Intro and results of Michael Sutton's FUGGLE project~~
−
−	~~Michael's slide deck is available in PDF format [https://www.owasp.org/index.php/Image:Sutton_-_Revisiting_SQL_Injection.pdf Sutton:Revisiting SQL Injection]~~
−
−	'''Michael Sutton''' is the co-author of [http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119 "Fuzzing : Brute Force Vulnerability Discovery"] and the Security Evangelist for SPI Dynamics, recently acquired by HP. Michael is responsible for identifying, researching and presenting on emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored much literature and is regularly quoted in the media on various information security topics. Michael is also a member of the Web Application Security Consortium (WASC), where he is project lead for the Web Application Security Statistics project.
−
−	Prior to joining SPI Dynamics, Michael was the Director for iDefense Labs, a team of world class researchers tasked with discovering and researching security vulnerabilities. Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He holds degrees from the University of Alberta and The George Washington University.
−
−	~~=== '''''January 2008 Meeting Notes - Aman Garg - Web App Protection, Tips for QA and Testing ''''' ===~~
−
−	~~Aman Garg of [http://www.tippingpoint.com TippingPoint] presented '''"Success Stories for Resolving App Security Bugs"'''.~~
−	The 2 things that got my attention were common evasion techinques and his commitment to spending ~20% of available testing/QA time doing UNstructured testing. It must be working - [http://www.tippingpoint.com TippingPoint] is the market leader in the IPS space. Many thanks to Aman for presenting, to [http://www.tippingpoint.com TippingPoint] for sponsoring, and to [http://www.cexp.com Corporate Express] for hosting as we all try to get better at writing more secure code!
−
−	~~----~~
−	~~Outline for January 17th:~~
−
−	~~Web app protection~~
−
−	* php exploit demo
−	* primer on php vulnerabilities and various layers at which these can be exploited
−	* primer on XSS (cross site scripting) vulnerabilities
−	* what you can do to make your web apps more secure
−
−	~~My experiences running QA/testing at TippingPoint~~
−
−	* conventional wisdom in testing (make a million test cases, really comprehensive regression testing)
−	* challenges in testing
−	* tradeoff between responsiveness and thorough QA cycle
−	* making processes secure & tamper proof
−	* architecture issues - separating platform from application
−	* best practices & recommendations from my experience
−
−	~~----~~
−
−	Aman's Bio: A veteran in the network security industry with over 10 years of experience, Aman Garg is currently Principal Architect at TippingPoint, where his current work focuses on design and research for new products and solutions, partnerships with other solution providers, and prototyping technology concepts. He has worn several different hats at TippingPoint - most recently, running the market /competitive analysis group, and leading the certification effort of TippingPoint products by NSS & ICSA Labs.
−
−	Mr. Garg holds an MBA from University of Texas Austin, a Masters in Electrical Engineering from Texas A&M University, and a bachelors in Electrical Engineering from Indian Institute of Technology, Kanpur. His interests are in network security and network performance testing arenas. His research work on mitigating Denial of Service attacks has been cited by several academic journals.

	=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===		=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===

← Older revision		Revision as of 22:54, 18 March 2008
Line 1:		Line 1:
−	== Notes From ~~Boulder OWASP 2007~~ Meetings ==	+	== Notes From Previous Meetings ==

		+	=== '''''February 2008 Meeting Notes - Michael Sutton - SQL Injection''''' ===
		+	The sponsor was HP, and the speaker was Michael Sutton of [https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201_4000_100__ HP/SPI Dynamics]. Topics included:
		+
		+	1. Data tampering via SQL injection (verbose and blind)
		+
		+	2. Guidance regarding WHAT TO DO and WHAT RESOURCES ARE AVAILABLE for input validation (aka data validation).
		+
		+	3. SQL injection against AJAX
		+
		+	4. Intro and results of Michael Sutton's FUGGLE project
		+
		+	Michael's slide deck is available in PDF format [https://www.owasp.org/index.php/Image:Sutton_-_Revisiting_SQL_Injection.pdf Sutton:Revisiting SQL Injection]
		+
		+	'''Michael Sutton''' is the co-author of [http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119 "Fuzzing : Brute Force Vulnerability Discovery"] and the Security Evangelist for SPI Dynamics, recently acquired by HP. Michael is responsible for identifying, researching and presenting on emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored much literature and is regularly quoted in the media on various information security topics. Michael is also a member of the Web Application Security Consortium (WASC), where he is project lead for the Web Application Security Statistics project.
		+
		+	Prior to joining SPI Dynamics, Michael was the Director for iDefense Labs, a team of world class researchers tasked with discovering and researching security vulnerabilities. Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He holds degrees from the University of Alberta and The George Washington University.
		+
		+	=== '''''January 2008 Meeting Notes - Aman Garg - Web App Protection, Tips for QA and Testing ''''' ===
		+
		+	Aman Garg of [http://www.tippingpoint.com TippingPoint] presented '''"Success Stories for Resolving App Security Bugs"'''.
		+	The 2 things that got my attention were common evasion techinques and his commitment to spending ~20% of available testing/QA time doing UNstructured testing. It must be working - [http://www.tippingpoint.com TippingPoint] is the market leader in the IPS space. Many thanks to Aman for presenting, to [http://www.tippingpoint.com TippingPoint] for sponsoring, and to [http://www.cexp.com Corporate Express] for hosting as we all try to get better at writing more secure code!
		+
		+	----
		+	Outline for January 17th:
		+
		+	Web app protection
		+
		+	* php exploit demo
		+	* primer on php vulnerabilities and various layers at which these can be exploited
		+	* primer on XSS (cross site scripting) vulnerabilities
		+	* what you can do to make your web apps more secure
		+
		+	My experiences running QA/testing at TippingPoint
		+
		+	* conventional wisdom in testing (make a million test cases, really comprehensive regression testing)
		+	* challenges in testing
		+	* tradeoff between responsiveness and thorough QA cycle
		+	* making processes secure & tamper proof
		+	* architecture issues - separating platform from application
		+	* best practices & recommendations from my experience
		+
		+	----
		+
		+	Aman's Bio: A veteran in the network security industry with over 10 years of experience, Aman Garg is currently Principal Architect at TippingPoint, where his current work focuses on design and research for new products and solutions, partnerships with other solution providers, and prototyping technology concepts. He has worn several different hats at TippingPoint - most recently, running the market /competitive analysis group, and leading the certification effort of TippingPoint products by NSS & ICSA Labs.
		+
		+	Mr. Garg holds an MBA from University of Texas Austin, a Masters in Electrical Engineering from Texas A&M University, and a bachelors in Electrical Engineering from Indian Institute of Technology, Kanpur. His interests are in network security and network performance testing arenas. His research work on mitigating Denial of Service attacks has been cited by several academic journals.

	=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===		=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===

@@ Line 24: / Line 24: @@
 https://www.owasp.org/images/f/f8/OWASP_Boulder_09202007.pdf
-MANY THANKS to Whitehat Security[http://www.whitehatsec.com], Corporate Express[http://www.cexp.com/], Business Partner Solutions[http://www.businesspartnersolutions.com/], and all who attended for making this a success!
+MANY THANKS to [http://www.whitehatsec.com Whitehat Security], [http://www.cexp.com/ Corporate Express], [http://www.businesspartnersolutions.com/ Business Partner Solutions], and all who attended for making this a success!
 There was also a brief discussion about integrating security into the SDLC.  Here's a link for a GREAT presentation done by Michael Walters.  Note the diagrams on slide 13:
@@ Line 36: / Line 36: @@
 Site:
-'''Corporate Express US Headquarters'''
+[http://www.cexp.com/ '''Corporate Express US Headquarters''' ]
 Environmental Way
 Broomfield, CO 80021

@@ Line 1: / Line 1: @@
-== Notes From Boulder OWASP 2007 Meetings ==
+== '''Notes From Boulder OWASP 2007 Meetings''' ==
-=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming (bolting security on effectively) ===
+=== '''''November Meeting Notes''''' - Patrick White - Aspect-Oriented Programming ===
 '''Security and AOP (Aspect Oriented Programming)'''
@@ Line 55: / Line 55: @@
 Bio:  Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!