Cleveland - Revision history

Csatink: Adding Q1 2018 Meeting Info

2017-11-21T19:55:10Z

Adding Q1 2018 Meeting Info

Csatink: added most recent past presentation info

2017-11-21T19:53:19Z

added most recent past presentation info

Csatink: Added details of next event

2017-09-22T13:28:17Z

Added details of next event

Csatink: added detail on past event

2017-09-22T13:26:21Z

added detail on past event

Csatink: /* Past Events: */

2017-03-03T21:45:03Z

‎Past Events:

Csatink: /* Upcoming Meetings */

2017-03-03T21:39:09Z

‎Upcoming Meetings

Csatink: /* Upcoming Meetings */

2016-10-04T13:30:42Z

‎Upcoming Meetings

Csatink: /* Upcoming Meetings */

2016-10-04T13:29:49Z

‎Upcoming Meetings

Csatink: /* Past Events: */

2016-10-04T13:27:44Z

‎Past Events:

Csatink: /* Upcoming Meetings */

2016-03-28T20:52:59Z

‎Upcoming Meetings

@@ Line 5: / Line 5: @@
 ----
 == Upcoming Meetings ==
-'''October 5, 2017 at 11:30 AM'''
+'''January 4, 2018 at 11:30 AM'''
 All meetings are held at SecureState (23340 Miles Road Bedford Heights, OH 44128)
-'''Presentation: Hands-on Demonstration of Common Web Application Penetration Testing Tools'''
+'''Presentation: How to Implement a Security Awareness Training Program'''
-Web application penetration testing tools are a critical element to validating the security of web applications. These tools typically work by injecting a series of malicious payloads within insertion points in HTTP requests and analyze deviations within responses returned by the application to identify the existence of vulnerabilities.
+The yearly Security Week at Hyland Software is the culmination of their security awareness program. Presenters Márion Nepomuceno and Josh Gatka will share its history, details, decisions and lessons that continue to lead them towards an increasingly successful program not only during SecWeek, but every other week of the year.
-Presenter Ryan Brown will deliver a hands-on demonstration of the following tools and review in depth some of the functionalities and features they possess:
+'''Speaker Bios:'''
-'''Speaker Bio:'''
+'''Márion Nepomuceno''' - Márion works as a software security engineer at Hyland Software, where he creates and delivers educational sessions, internal testing tools and frameworks, organizes corporate events surrounding information security, and works closely with the Development and Quality Assurance staff on improving their secure coding and testing skills.
-Ryan Brown is a Red Team Security and Research Analyst at SecureState specializing in web application penetration testing. In his tenure with SecureState, Ryan has worked with organizations across a variety of industries, providing him with the expertise and knowledge of the security posture that exists within web applications.
 ---------------------------------

← Older revision		Revision as of 19:53, 21 November 2017
Line 26:		Line 26:

	== Past Events: ==		== Past Events: ==
		+	'''Presentation: Hands-on Demonstration of Common Web Application Penetration Testing Tools'''
		+
		+	'''''Abstract:'''''
		+	Web application penetration testing tools are a critical element to validating the security of web applications. These tools typically work by injecting a series of malicious payloads within insertion points in HTTP requests and analyze deviations within responses returned by the application to identify the existence of vulnerabilities.
		+
		+	Presenter Ryan Brown will deliver a hands-on demonstration of the following tools and review in depth some of the functionalities and features they possess:
		+	*Burp Suite: produced by Portswigger is the industry leading tool for web application penetration testing. This powerful framework provides support for a series of useful functionalities including but not limited to traffic interception, application mapping, fuzzing and crawling as well as automated scanning.
		+	*SQLMap: an open source penetration testing tool designed to automate the identification and exploitation of SQL injection vulnerabilities.
		+	*Commix: like SQLMap, is a testing tool designed to automate the identification and exploitation of command injection vulnerabilities.
		+
		+	'''''Speaker Bio:'''''
		+	Ryan Brown is a Red Team Security and Research Analyst at SecureState specializing in web application penetration testing. In his tenure with SecureState, Ryan has worked with organizations across a variety of industries, providing him with the expertise and knowledge of the security posture that exists within web applications.
		+	---------------------------------
	'''Presentation: Warning Ahead: Security Storms are Brewing in Your JavaScript'''		'''Presentation: Warning Ahead: Security Storms are Brewing in Your JavaScript'''

@@ Line 5: / Line 5: @@
 ----
 == Upcoming Meetings ==
-'''March 30, 2017 at 11:00 AM'''
+'''October 5, 2017 at 11:30 AM'''
 All meetings are held at SecureState (23340 Miles Road Bedford Heights, OH 44128)
-'''Presentation: An Intro to Transport Layer Security'''
+'''Presentation: Hands-on Demonstration of Common Web Application Penetration Testing Tools'''
-The web (and the Internet at large) is undergoing a slow but steady transition to the default use of encrypted protocols rather than their less secure cleartext counterparts. This trend has resulted in the sharply increasing popularity of Transport Layer Security (TLS).  Mozilla recently found that 50% of pages are now loaded over HTTPS, browsers have begun to warn users when they are using unencrypted connections for sensitive operations, and Let's Encrypt has made obtaining certificates free and easy.
+Web application penetration testing tools are a critical element to validating the security of web applications. These tools typically work by injecting a series of malicious payloads within insertion points in HTTP requests and analyze deviations within responses returned by the application to identify the existence of vulnerabilities.
-As the barriers to TLS adoption fall, it is unavoidable that web developers and administrators will need a working knowledge of modern cryptography. Presenter Travis Suel will cover the high-level concepts needed to develop and maintain modern, secure TLS configurations including public and symmetric-key cryptography.
+Presenter Ryan Brown will deliver a hands-on demonstration of the following tools and review in depth some of the functionalities and features they possess:
-'''Speaker Bio:'''  Travis Suel is a senior analyst at SecureState who manages SecureState's web and mobile application security services. Travis's background consists  of systems and web development in addition to experience deploying and adminstering web applications and their supporting software (web servers, databases, etc.).
+'''Speaker Bio:'''
 ---------------------------------

@@ Line 22: / Line 22: @@
 == Past Events: ==
 '''Presentation: Threat Modeling'''
-'''''Abstract'''''
+'''''Abstract:'''''
 How do you know how to build your application securely, or what to look for when you are performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. Also, there are security issues that other analysis techniques like penetration testing and code review  cannot find. Threat modeling can be used to discover design weaknesses that cannot be found using other analysis techniques.
@@ Line 34: / Line 62: @@
 Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Master’s degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security problems.
 '''Presentation: A Touch(ID) of iOS Security'''
-'''''Abstract'''''
+'''''Abstract:'''''
 As mobile devices become more and more prevalent in our lives, the clash between security and usability moves to the forefront. Apple integrated TouchID into its main mobile devices products (iPhones/iPads). In Apple’s controlled fashion, access to the TouchID was unavailable at first and has been expanded over subsequent releases. With this expansion is a new world of authentication possible?
@@ Line 49: / Line 78: @@
 '''Presentation: Awareness Training: Failure to Engage is Failure to Secure'''
-'''''Abstract'''''
+'''''Abstract:'''''
 We call it security awareness training, but all we ever give our employees is regurgitated knowledge. Their passwords suck, don’t trust user input, and make sure you complete the secure coding standard checklist. Mix in some yearly reviews of policies and procedures and you have the perfect recipe for an employee who stopped listening hours ago. You don't truly learn something until you understand "why" and that comes when employees are engaged and motivated. This is my take on how to engage through gaming, running your own internal CTF with OWASP Security Shepherd, pentest training with OWASP ZAP, and why it works.

← Older revision		Revision as of 21:45, 3 March 2017
Line 22:		Line 22:

	== Past Events: ==		== Past Events: ==
		+
		+	'''Presentation: Threat Modeling'''
		+
		+	'''''Abstract'''''
		+
		+	How do you know how to build your application securely, or what to look for when you are performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. Also, there are security issues that other analysis techniques like penetration testing and code review cannot find. Threat modeling can be used to discover design weaknesses that cannot be found using other analysis techniques.
		+
		+	This talk details a threat modeling process and methodology to teach the audience how to identify the assets, security controls, and threat agents for a given system. The talk goes on to show how this information can be used to create a prioritized list of test cases for other security activities, as well as find design weaknesses and propose appropriate mitigations.
		+
		+	'''''Speaker Bio:'''''
		+	Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Master’s degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security problems.
		+

	'''Presentation: A Touch(ID) of iOS Security'''		'''Presentation: A Touch(ID) of iOS Security'''

← Older revision		Revision as of 13:27, 4 October 2016
Line 14:		Line 14:

	== Past Events: ==		== Past Events: ==
		+
		+	'''Presentation: A Touch(ID) of iOS Security'''
		+
		+	'''''Abstract'''''
		+	As mobile devices become more and more prevalent in our lives, the clash between security and usability moves to the forefront. Apple integrated TouchID into its main mobile devices products (iPhones/iPads). In Apple’s controlled fashion, access to the TouchID was unavailable at first and has been expanded over subsequent releases. With this expansion is a new world of authentication possible?
		+
		+	In this talk, we will explore the architecture of TouchID and the how Apple is pushing biometrics into the forefront of consumer-based products. As companies start embracing biometrics, there are standard client-side authentication risks and TouchID Implementations risk. We will explore the architecture and common implementations, to understand possible hidden risks, and how to strengthen the implementations.
		+
		+	'''''Speaker Bio:'''''
		+	Jamie Bowser is a Technical Strategist who has over 20 years of information technology experience in a variety of roles including Web Application developer/architect, Unix Administrator, and Systems Analyst. Mr. Bowser has worked with a number of Fortune 500 companies, including Morgan Stanley, JP Morgan Chase, and Key Corp. As a Technical Strategist at Cigital, he has overseen and performed Mobile Strategic Consulting, Mobile Application Penetration Testing and Mobile Application Source Code reviews of systems built from a few thousand lines of code to systems containing tens of millions of lines of code (Java, .Net, and Objective-C). Currently, Mr. Bowser focuses on iOS Static and Dynamic testing tool development.
		+
		+	---------------------------------

	'''Presentation: Awareness Training: Failure to Engage is Failure to Secure'''		'''Presentation: Awareness Training: Failure to Engage is Failure to Secure'''