This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "San Jose"

From OWASP
Jump to: navigation, search
m (Next Meeting - Wednesday, July 25, 2007)
(Next Meeting - Thursday, September 6, 2007)
Line 1: Line 1:
 
{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:[email protected] Brian Bertacini]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanjose|emailarchives=http://lists.owasp.org/pipermail/owasp-sanjose}}
 
{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:[email protected] Brian Bertacini]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanjose|emailarchives=http://lists.owasp.org/pipermail/owasp-sanjose}}
  
== Next Meeting - Wednesday, July 25, 2007 ==
+
== Next Meeting - Thursday, September 6, 2007 ==
Open to the public, attendance is free
+
Open to the public, attendance is free<br/>
  
 
'''Agenda and Presentations:'''<br/>
 
'''Agenda and Presentations:'''<br/>
6:00pm - 6:30pm ... Check-in and reception (food & bev)<br/>
+
5:00pm – 5:30pm           Check-in and Reception (food and beverages)<br/>
6:30pm - 7:15pm ... Attacking XML Security - Brad Hill<br/>
+
5:30pm – 6:45pm          Malicious Code Injection Workshop<br/>
7:15pm - 8:00pm ... Development of a Security Metric System to Rate Enterprise Software - Fredrick Lee<br/>
+
6:45pm – 6:55pm          Break<br/>
8:00pm - 8:30pm ... Networking Session<br/>
+
6:55pm – 8:10pm          Panel Discussion – Privacy, Security and Breaches, Oh My!<br/>
 
+
8:10pm – 8:30pm           Networking Session<br/>
'''Venue:'''<br/>
+
Ariba<br/>
 
807 11th Avenue<br/>
 
Sunnyvale, Ca 94089<br/>
 
[http://www.ariba.com/company/hq_map.cfm Map and Directions]<br/>
 
  
 +
'''Venue:'''
 +
eBay - Town Square B<br/>
 +
2161 North First Street<br/>
 +
San Jose, CA 95131<br/>
  
'''Attacking XML Security'''<br/>
+
Map and Directions:
'''''Presented by: Brad Hill, iSEC Partners'''''<br/>
+
[http://maps.yahoo.com/broadband#mvt=m&q1=2211+N+1st+Street%2C+San+Jose%2C+CA&trf=0&lon=-121.921484&lat=37.377166&mag=3 Map]<br/>
  
'''Abstract:'''
 
Brad will present his ongoing research into attacking the XML Digital Signature and Encryption standards that underpin the security  of Web Services, mobile code, SAML, federated identity systems and more.  The talk will begin with a high-level, critical take on the emerging conventional wisdom about message-oriented security and continue with a detailed discussion of design and implementation weaknesses in the standards.  Technical material will include a root cause analysis of the recent iSEC advisory on cross-platform, remote code execution vulnerabilities discovered in multiple XML Digital Signature products. <br/>
 
  
[http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf Presentation Link]<br/>
+
'''Malicious Code Injection Workshop'''
  
'''Bio:''' Based out of Seattle, Brad Hill is a Senior Security Consultant at iSEC Partners, a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification.   Brad brings a ten year background as a software developer and architect in the technology and financial services sectors to his work at iSEC, where he does design review, application assessment and development lifecycle improvement for some of the world’s leading software companies.   
+
SQL Injection, Cross-site Scripting (XSS) and other injection attacks techniques have become pervasive on the web. This hands-on workshop takes an in-depth look at common methods used to exploit web applications.  Attendees will learn step-by-step techniques used by attackers allowing them to better understand how web applications are exploitedEach attack method is followed up with a discussion about effective countermeasures to defend against such attacks.
<br/>
 
<br/>
 
<br/>
 
'''Development of a Security Metric System to Rate Enterprise Software'''<br/>
 
'''''Presented by: Fredrick Lee, Fortify Software'''''<br/>
 
  
'''Abstract:'''
+
This interactive workshop includes a victim web application that contains built-in vulnerabilities. Attendees can bring their own laptop computers and participate in hands-on lab sessions. The objective of this workshop is to learn secure development practices used to harden the security of applications.  Attendee participation is encouraged and door prizes will be awarded at random.  
As part of Fortify Software’s Java Open Review (JOR) project, both security defects and quality issues discovered in open source software are collected. The projects being analyzed are diverse in their development methodologies, development stages, and application styles. The projects range from small utility packages (e.g. Apache Commons), to mid-size intranet applications (e.g. JSPWiki), to large-scale, commercial grade enterprise projects (e.g. JBoss). In essence, participants in the Java Open Review project reflect the typical enterprise organization’s code base: a large collection of several small utility/internal applications and a handful of enterprise “flagship” products.
 
  
As part of the project, we have been challenged to answer the question: Which
 
application is more “secure.” To answer this question, Fortify has sought to develop a set of metrics that combine lessons learned from our experience working on various enterprise code bases and our work on the JOR project. The metrics are designed to incorporate diverse criteria, including the size of the application, the types of vulnerabilities identified, and time required to fix the vulnerabilities. The metrics provide a mechanism to rate software components for security concerns and enable enterprises to:
 
  
- Evaluate which open source projects offer an acceptable level of security <br/>
+
'''Workshop Instructor:'''
- Compare competing open source software solutions based on their security <br/>
 
- Measure internal development efforts against open source open source counterparts
 
  
Ultimately, with sufficient industry adoption, the metrics can also enable enterprises to compare their internal efforts against other enterprises within the same vertical. As part of the talk we will present our experience to date working with companies to develop an effective mechanism for evaluating the security of enterprise software.
+
Siva Ram, CISA<br/>
 +
Senior Consultant, AppSec Consulting<br/>
  
'''Bio:''' Fredrick Lee is a member of Fortify Software’s Security Research Group, where he manages the Java Open Review Project. Scanning the code of over 100 applications so far, Fredrick is helping assess and improve the security of open source software. Fredrick also helps the Security Research Group develop the secure coding rules that are use to run Fortify’s suite of products.
+
'''Panel Discussion: “Privacy, Security and Breaches, Oh My!” '''
 
Prior to joining Fortify Software, Fredrick was a Senior Information Security Engineer at Bank of America, where he helped roll out a secure development framework, performed security assessments, and developed enterprise security solutions.
 
 
Fredrick graduated from the University of Oklahoma, with a BS in Computer Engineering.
 
  
<br/>
+
This panel discussion will review the current state of information privacy and the security of web applications.  Security breaches are occurring at an alarming rate and consumers are loosing faith.  What, if anything can be done to restore confidence in e-commerce?
  
'''Upcoming Security Workshops'''<br/>
+
What can we learn from events at Card Systems are more recently Monster.com?  What can be done to ensure your company is not the next victim of a class action and/or hackers and data thieves?  Join an all-star panel of Information Privacy and Data Security professionals to better understand what’s at stake and how to stay out of the headlines.
'''''Presented by: Brian Bertacini, Volunteer Chapter Organizer'''''<br/>
 
  
'''Abstract:''' Introduce local volunteer expert trainers that are planning web application and infrastructure security workshops.
+
Moderator:         Alex Stamos, iSEC Partners
 +
Panelists:          Doran Rotman, KPMG (co-author, Generally Accepted Privacy Principles
 +
                    David Pollino, Washington Mutual Bank
 +
                    Robert Fly, Salesforce.com
 +
                    Larry Pingree, Safeway (co-founder, Digital Forensics Association)
  
Please RSVP to via email [mailto:[email protected] Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]
+
Please RSVP at http://owaspday.eventbrite.com.  Feel free to invite like minded IT Security Professionals and help grow OWASP.<br/>   
  
Special thanks to [http://www.ariba.com Ariba] for hosting this event and to [http://www.appsecconsulting.com AppSec Consulting] and [http://www.isecpartners.com iSEC Partners] for sponsoring.
+
Note: To participate in the exercise bring an 802.11b/g equipped laptop with IE or Firefox installed. No hostile code will be put on your laptop by the instructors, but do have a firewall running to protect yourself. No wired connection to the class network will be provided.<br/>

Revision as of 18:20, 24 August 2007

OWASP San Jose

Welcome to the San Jose chapter homepage. The chapter leader is Brian Bertacini


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Next Meeting - Thursday, September 6, 2007

Open to the public, attendance is free

Agenda and Presentations:
5:00pm – 5:30pm Check-in and Reception (food and beverages)
5:30pm – 6:45pm Malicious Code Injection Workshop
6:45pm – 6:55pm Break
6:55pm – 8:10pm Panel Discussion – Privacy, Security and Breaches, Oh My!
8:10pm – 8:30pm Networking Session


Venue: eBay - Town Square B
2161 North First Street
San Jose, CA 95131

Map and Directions: Map


Malicious Code Injection Workshop

SQL Injection, Cross-site Scripting (XSS) and other injection attacks techniques have become pervasive on the web. This hands-on workshop takes an in-depth look at common methods used to exploit web applications. Attendees will learn step-by-step techniques used by attackers allowing them to better understand how web applications are exploited. Each attack method is followed up with a discussion about effective countermeasures to defend against such attacks.

This interactive workshop includes a victim web application that contains built-in vulnerabilities. Attendees can bring their own laptop computers and participate in hands-on lab sessions. The objective of this workshop is to learn secure development practices used to harden the security of applications. Attendee participation is encouraged and door prizes will be awarded at random.


Workshop Instructor:

Siva Ram, CISA
Senior Consultant, AppSec Consulting

Panel Discussion: “Privacy, Security and Breaches, Oh My!”

This panel discussion will review the current state of information privacy and the security of web applications. Security breaches are occurring at an alarming rate and consumers are loosing faith. What, if anything can be done to restore confidence in e-commerce?

What can we learn from events at Card Systems are more recently Monster.com? What can be done to ensure your company is not the next victim of a class action and/or hackers and data thieves? Join an all-star panel of Information Privacy and Data Security professionals to better understand what’s at stake and how to stay out of the headlines.

Moderator: Alex Stamos, iSEC Partners Panelists: Doran Rotman, KPMG (co-author, Generally Accepted Privacy Principles 

                   David Pollino, Washington Mutual Bank
                   Robert Fly, Salesforce.com
                   Larry Pingree, Safeway (co-founder, Digital Forensics Association)

Please RSVP at http://owaspday.eventbrite.com. Feel free to invite like minded IT Security Professionals and help grow OWASP.

Note: To participate in the exercise bring an 802.11b/g equipped laptop with IE or Firefox installed. No hostile code will be put on your laptop by the instructors, but do have a firewall running to protect yourself. No wired connection to the class network will be provided.

Retrieved from "https://wiki.owasp.org/index.php?title=San_Jose&oldid=21096"