|
|
| (245 intermediate revisions by 11 users not shown) |
| Line 1: |
Line 1: |
| − | {{Chapter Template|chaptername=Boulder|extra=The chapter leader is [mailto:owasp@justplainpix.com Andy Lewis]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}} | + | ===Special Thanks=== |
| | + | The continued sponsorship of Aerstone, Applied Trust, and Coalfire keep the chapter running strong. Thank you. |
| | + | {| cellpadding="15" |
| | + | |- |
| | + | | [[Image:BoulderSponsorAerstone.png | 120px | link=https://aerstone.com | alt=Aerstone | Aerstone]] |
| | + | | [[Image:AppliedTrust.png | 120px | link=http://www.appliedtrust.com | alt=Applied Trust | Applied Trust]] |
| | + | | [[Image:Coalfire.png | 120px | link=http://www.coalfire.com/ | alt=Coalfire | Coalfire]] |
| | + | |} |
| | | | |
| − | == '''Next Meeting''' == | + | __NOTOC__ |
| − | The next meeting is '''Thursday, January 17th 2008''' at [https:/ /www.cexp.com Corporate Express's] US Headquarters. Right now interest in providing speakers has been expressed by Tipping Point and SPI. Either way, it should be a GREAT meeting! We're also gaining traction on a '''possible Front Range Web Security Summit''', so if you're interested in helping or sponsoring please [mailto:[email protected] email the chapter mailing list... ] A flyer for the January meeting is available [https://www.owasp.org/index.php/Image:OWASPmeetingflyerJan08.jpg here]. | + | <font size="2"> |
| | + | =About= |
| | + | {{:Boulder/About}} |
| | | | |
| − | The topic will be "Success Stories for Resolving WebApp Security Bugs". The speaker is Aman Garg of [http://www.tippingpoint.com TippingPoint].
| + | =Upcoming Events= |
| | + | {{:Boulder/Events-Upcoming}} |
| | | | |
| − | Aman's Bio: A veteran in the network security industry with over 10 years of experience, Aman Garg is currently Principal Architect at TippingPoint, where his current work focuses on design and research for new products and solutions, partnerships with other solution providers, and prototyping technology concepts. He has worn several different hats at TippingPoint - most recently, running the market /competitive analysis group, and leading the certification effort of TippingPoint products by NSS & ICSA Labs.
| + | =Past Events= |
| | + | {{:Boulder/Events-Past}} |
| | | | |
| − | Mr. Garg holds an MBA from University of Texas Austin, a Masters in Electrical Engineering from Texas A&M University, and a bachelors in Electrical Engineering from Indian Institute of Technology, Kanpur. His interests are in network security and network performance testing arenas. His research work on mitigating Denial of Service attacks has been cited by several academic journals.
| + | =Chapter Projects= |
| | + | {{:Boulder/Projects}} |
| | | | |
| − | Agenda:
| + | =Chapter Support= |
| | + | {{:Boulder/Support}} |
| | | | |
| − | 6-6:30 Dinner (pizza provided by a sponsor who I haven't contacted yet)
| + | </font> |
| | + | <headertabs /> |
| | | | |
| − | 6:30 - 6:40 Chapter business
| |
| | | | |
| − | 6:40 - 8:00 Presentation and Q&A
| + | == Upcoming Events == |
| | | | |
| − | Following the meeting we will have informal discussions over beverages at the Gordon Biersch Brewery and Restaurant.
| + | '''Thursday Evenings: ''' We typically (but not always) hold our chapter meetings on the third Thursday of the month. We meet in Lafayette, CO, just outside of Boulder. Newcomers are always welcome! Meeting details can be found on our [http://www.meetup.com/OWASP-Boulder/ MeetUp.com] site. Please RSVP on that site as seating can fill up quickly. |
| | | | |
| − | == Local News ==
| + | <br><br> |
| − | '''Flash Security Testing'''
| |
| − | The team working on the [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project OWASP Flash Security Project] has released the [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] tool to detect flash security issues like XSS and Cross-Site Flashing. It's worth a look.
| |
| | | | |
| − | '''Aspect-Oriented Programming'''
| + | [[Category:OWASP Chapter]] |
| − | Security Focus has a very interesting article regarding AOP and security written by Rohit Sethi on October 16th, 2007. It complements and reinforces the [https://www.owasp.org/index.php/Boulder#November_Meeting_Notes AOP talk] given by Pat White from Fortify Software for the Nov Chapter Meeting. If you know of any other useful AOP references please share by posting to the chapter mailing list...
| + | [[Category:United_States]] |
| − | | + | [[Category:Colorado]] |
| − | '''Cool References - November 28th, 2007'''
| |
| − | Google for "Microsoft AntiXSS Library" and you'll see some pretty cool resources for '''stifling Cross-Site-Scripting problems'''.
| |
| − | | |
| − | OWASP has a similar project:
| |
| − | http://www.owasp.org/index.php/Category:OWASP_Encoding_Project
| |
| − | | |
| − | in addition to the '''''OWASP Enterprise Security API project''''' (which looks REALLY COOL):
| |
| − | | |
| − | http://www.owasp.org/index.php/ESAPI
| |
| − | | |
| − | Finally, many of the OWASP wikis are available as books, either for purchase in hard-copy or as a ''free download'':
| |
| − | | |
| − | Online bookstore = http://stores.lulu.com/owasp
| |
| − | Shirts hats etc... http://www.cafepress.com/owasp
| |
| − | | |
| − | | |
| − | '''Boulder OWASP News - November 15th, 2007'''
| |
| − | Several Security Professionals have expressed interest in serving as Chapter Officers or part of a Board of Directors.
| |
| − | | |
| − | We expect to assemble interested parties in early Dec to plan out 2008.
| |
| − | | |
| − | | |
| − | '''Boulder OWASP News - July 26th, 2007'''
| |
| − | Al B., Lance R., and Andy L. are getting speakers, places, and sponsors lined up for Sep-Nov. The gameplan is to have meetings on the 3rd Thursday of each month HOWEVER the FIRST meeting's timing is being scheduled around a very special speaker (hint: what's the opposite of Black Hat?). The goal is very simple: understand how one of the OWASP Top 10 is a REAL PROBLEM and (more importantly) '''understand how to CODE BETTER and/or TEST BETTER'''.
| |
| − | | |
| − | Still need a place that can seat 30+ for the first meeting the 3rd or 4th week of Sept.
| |
| − | Still need a sponsor for dinner.
| |
| − | | |
| − | Likely schedule:
| |
| − | | |
| − | 6-6:30 eat, socialize
| |
| − | 6:30-6:35 chapter business
| |
| − | 6:35 - introduce speaker
| |
| − | | |
| − | Each speaker will be encouraged to cover:
| |
| − | - demonstration of the threat ( "look! I got EVERYONE'S credit card #!")
| |
| − | - overview/sample of vulnerable code, preferably in PHP, Java, or .Net env.
| |
| − | - some details regarding how to correct the code
| |
| − | - some thoughts as to how to test for the problem and/or "immunize" against it during a typical SDLC
| |
| − | - additional tools and references
| |
| − | 7:35'ish - Q & A
| |
| − | after Q & A - adjourn to less formal environment
| |
| − | | |
| − | Thanks!
| |
| − | Andy
| |
| − | | |
| − | PS if you're going to Blackhat/DefCon be sure to catch David Byrne's presentation regarding anti-DNS pinning!
| |
| − | | |
| − | '''Boulder OWASP News - June 21st, 2007'''
| |
| − | While we're getting our act together with the Boulder Chapter I encourage you to attend tonight's Denver OWASP meeting.
| |
| − | | |
| − | http://www.owasp.org/index.php/Denver
| |
| − | | |
| − | At this time Boulder OWASP is looking for help with the following:
| |
| − | | |
| − | 1. Meeting place
| |
| − | | |
| − | 2. Corporate sponsor(s)
| |
| − | | |
| − | 3. Topics of interest.
| |
| − | | |
| − | | |
| − | Thanks!
| |
| − | Andy
| |
| − | | |
| − | == November Meeting Notes==
| |
| − | '''Security and AOP (Aspect Oriented Programming)'''
| |
| − | | |
| − | Many thanks to [http://www.cexp.com Corporate Express] for providing the facilities, to [http://www.coalfiresystems.com Coalfire Systems] for providing dinner, and to [http://www.fortifysoftware.com/ Fortify Software] for providing the speaker!
| |
| − | | |
| − | Speaker: Patrick White, Program Manager for .[http://www.fortifysoftware.com/ Fortify Software].
| |
| − | | |
| − | Topic: Security and AOP
| |
| − | | |
| − | Aspect Oriented Programming is an incredibly interesting methodology that has gradually gained popularity over the years. As interesting as the concepts are, they are often admittedly difficult to actualize. In this talk Patrick will be examining what AOP is and how it can make a real and meaningful impact during your development. In addition, he'll look at how powerful security features can be added to an application using AOP either in sync or out sync with development.
| |
| − | | |
| − | Bio: Patrick White is a Program Manager at Fortify Software. He holds a BS in Computer Engineering and Computer Science from the University of Southern California and has earned numerous Microsoft certifications including MCSE, MCSD, and MCPD. He previously worked for several Bay Area startups and was at Microsoft before joining the Fortify Software team.
| |
| − | | |
| − | Patrick's presentation can be found here:
| |
| − | https://www.owasp.org/images/2/27/SecurityAndAOPII_FortifySoftware20071115.pdf
| |
| − | '''''Yeah, sometimes it's OK to bolt on security after the fact...'''''
| |
| − | | |
| − | == September Meeting Notes ==
| |
| − | '''First Boulder OWASP Meeting was held September 20th, 2007'''
| |
| − | Jeremiah's presentation was OUTSTANDING and MUCH APPRECIATED. Jeremiah kindly allowed it to be posted here:
| |
| − | | |
| − | https://www.owasp.org/images/f/f8/OWASP_Boulder_09202007.pdf
| |
| − | | |
| − | MANY THANKS to Whitehat Security[http://www.whitehatsec.com], Corporate Express[http://www.cexp.com/], Business Partner Solutions[http://www.businesspartnersolutions.com/], and all who attended for making this a success!
| |
| − | | |
| − | There was also a brief discussion about integrating security into the SDLC. Here's a link for a GREAT presentation done by Michael Walters. Note the diagrams on slide 13:
| |
| − | | |
| − | http://www.squadco.com/presentations/OWASP_Denver.pdf
| |
| − | | |
| − | Also, if your QA team isn't aware of SQuAD (the Software Quality Association of Denver) you may want to point them to www.squadco.com as a resource.
| |
| − | | |
| − | == September Meeting ==
| |
| − | '''First Boulder OWASP Meeting to be held September 20th, 2007'''
| |
| − | | |
| − | Site:
| |
| − | '''Corporate Express US Headquarters'''
| |
| − | [http://www.cexp.com/] | |
| − | 1 Environmental Way
| |
| − | Broomfield, CO 80021
| |
| − | | |
| − | Time: Dinner and beverages will be available starting at 6 PM, compliments of [http://www.businesspartnersolutions.com/ Business Partner Solutions]. Presentation will start at 6:30.
| |
| − | | |
| − | Speaker: Jeremiah Grossman, CTO of [http://www.whitehatsec.com WhiteHat Security].
| |
| − | | |
| − | Topic: Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company
| |
| − | | |
| − | To date, information security has been focused mainly on vulnerabilities at the network and software (OS, web server, etc.) levels. However, a new battleground is quickly developing that poses an even greater threat to companies’ brands/reputations and data. As companies drive more and more business processes to the web, vulnerabilities in their custom Web applications have become the new target for a new class of hackers. And the payoff is now financial gain, not personal notoriety.
| |
| − | | |
| − | Jeremiah Grossman will:
| |
| − | – Reveal the top 10 attacks of 2006 by creativity and scope
| |
| − | – Predict what these attacks mean for website vulnerability management in 2007
| |
| − | – Present strategies to protect your corporate websites
| |
| − | | |
| − | Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!
| |
| − | | |
| − | == Chapter Leader Links ==
| |
| − | | |
| − | | |
| − | https://www.owasp.org/index.php/About_OWASP
| |
| − | | |
| − | https://www.owasp.org/index.php/How_OWASP_Works
| |
| − | | |
| − | https://www.owasp.org/index.php?title=How_OWASP_Works&diff=22690&oldid=15689 (this is a previous version of the 'How OWASP Works' page which contains some ideas about the future)
| |
| − | | |
| − | https://www.owasp.org/index.php/OWASP_brand_usage_rules
| |
| − | | |
| − | https://www.owasp.org/index.php/Chapter_Rules
| |
| − | | |
| − | https://www.owasp.org/index.php/Chapter_Leader_Handbook
| |
| − | | |
| − | https://www.owasp.org/index.php/Category:Chapter_Resources
| |
| − | | |
| − | http://www.owasp.org/index.php/Tutorial#Editing_OWASP
| |
| − | | |
| − | And finally, if you
| |
| − | haven't seen this amazing page created by Sebastien a while back with
| |
| − | descirptions and links to past OWASP presentations, you must check it out
| |
| − | now: http://www.owasp.org/index.php/OWASP_Education_Presentation
| |
| − | | |
| − | Of particular interest:
| |
| − | https://www.owasp.org/images/d/df/OWASP_-_Presentation_for_potential_sponsorships.doc
| |
| − | | |
| − | | |
| − | '''OWASP Moves to MediaWiki Portal - 11:36, 20 May 2006 (EDT)'''
| |
| − | | |
| − | OWASP is pleased to announce the arrival of OWASP 2.0!
| |
| − | | |
| − | OWASP 2.0 utilizes the MediaWiki portal to manage and provide
| |
| − | the latest OWASP related information. Enjoy!
| |
The continued sponsorship of Aerstone, Applied Trust, and Coalfire keep the chapter running strong. Thank you.
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
