|
|
| (134 intermediate revisions by 13 users not shown) |
| Line 1: |
Line 1: |
| − | {{Chapter Template|chaptername=Chicago|extra=The chapter leaders are [mailto:cory@crazypenguin.com Cory Scott] and [mailto:jason@wittys.com Jason Witty]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-chicago|emailarchives=http://lists.owasp.org/pipermail/owasp-chicago}} | + | {{Chapter Template|chaptername=Chicago|extra=The chapter leaders are [mailto:michael.allen@owasp.org Michael Allen] and [mailto:adam.lewis@owasp.org Adam Lewis]. |
| | + | |meetupurl=https://www.meetup.com/OWASP-Chicago-Chapter/|region=United States}} |
| | | | |
| − | ==== Local News ====
| + | Everyone is welcome to join us at our chapter meetings. |
| | | | |
| − | ==Next Meeting: April 29th==
| + | [[Category:OWASP Chapter]] |
| − | http://www.owasp.org/index.php/Chicago#tab=Chapter_Meetings
| |
| − | ==Make sure you sign up for the mailing list to receive meeting announcements.==
| |
| − | | |
| − | We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago
| |
| − | ==General Information==
| |
| − | | |
| − | | |
| − | Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.
| |
| − | | |
| − | If you have any questions about the Chicago chapter, please send an email to our chapter leaders [ mailto:[email protected] Cory Scott] or [ mailto: [email protected] Jason Witty.] | |
| − | | |
| − | Chicago chapter meetings are hosted by Bank of America[http://www.bankofamerica.com/]
| |
| − | | |
| − | <paypal>Chicago</paypal>
| |
| − | ==== Chapter Meetings ====
| |
| − | | |
| − | The next quarterly Chicago OWASP Chapter meeting will be April 29th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to [email protected] by April 28th so we can enter your name into the building's security system. | |
| − | | |
| − | | |
| − | ===Agenda===
| |
| | | | |
| − | 6:00 Refreshments and Welcome
| + | If you're interested in speaking, sponsoring or hosting an event, [mailto: [email protected] please contact us]. |
| | + | <br/> |
| | + | = General Information = |
| | | | |
| − | 6:15 Doing more with less? : Automate or Die - Ed Bellis, Orbitz
| + | Anyone in our area interested in application security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics. |
| | | | |
| − | 7:15 Rich Internet Applications - Rafal Los
| + | Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]<br> |
| | + | LinkedIn: https://www.linkedin.com/groups/4049846<br/> |
| | + | Chat with us on SLACK. https://owasp.slack.com/ |
| | + | <br/> |
| | + | <br/> |
| | | | |
| − | ===Presentation abstracts===
| + | Interesting in being a sponsor or presenting at an event? Contact us at [email protected] |
| | | | |
| − | ''Doing more with less? : Automate or Die''
| |
| | | | |
| − | ABSTRACT
| |
| | | | |
| − | The harsh economic climate has hit us all in some way. Budgets are trimmed and spending is down. We are continuously asked to do more with less, but how? Certainly the attackers aren’t spending less! Our web applications continue to grow in size and complexity. So what can an InfoSec team do to become more efficient and still effectively protect our applications?
| |
| − |
| |
| − | At Orbitz, our team took a hard look at where we were spending a lot of our time – the grunt work – and how we could spend less of it. After building out a fairly comprehensive vulnerability management program and using a lot of best in breed tools, we found ourselves with an overabundance of manual labor on our hands putting together the pieces of our vulnerability puzzle. After looking around the market space, we found nothing that could really help us with this growing problem. Low and behold, there’s a government set of standards now to put all this together. What the heck, let’s build it!
| |
| − |
| |
| − | SPEAKER BIO
| |
| − |
| |
| − | Ed Bellis is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.
| |
| − |
| |
| − | With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.
| |
| − |
| |
| − | Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.
| |
| − |
| |
| − |
| |
| − | ''Rich Internet Applications''
| |
| − |
| |
| − | ABSTRACT
| |
| − |
| |
| − | What does "Web 2.0" mean to your business? If you're like most
| |
| − | companies it means publishing sites that are more interactive, more flashy,
| |
| − | more customer-catching. To you and your developers that means using
| |
| − | technologies for creating RIA (Rich Internet Applications) like Flash and
| |
| − | AJAX and delivering as quickly as possible. This talk focuses on some of
| |
| − | the issues that arise when those technologies are used to drive high-end,
| |
| − | interactive web applications without proper security sanity checks. Learn
| |
| − | the mistakes, and some of the things you can do to avoid them before your
| |
| − | company commits these fatal flaws.
| |
| − |
| |
| − | == Presentation Archives ==
| |
| − |
| |
| − | Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]
| |
| − |
| |
| − | Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]
| |
| − |
| |
| − | Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]
| |
| − |
| |
| − | Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here]<BR>
| |
| − |
| |
| − | Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here]<BR>
| |
| − |
| |
| − |
| |
| − | '''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
| |
| − | Thomas Ptacek, Matasano Security
| |
| − |
| |
| − | Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.
| |
| − |
| |
| − | In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:
| |
| − |
| |
| − | - Locating and Decompiling Java and .NET Code
| |
| − | - Structure and Interpretation of Binary Protocols in HTTP
| |
| − | - Protocol Debugging Tools
| |
| − | - Web App Crypto Tricks
| |
| − |
| |
| − | '''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
| |
| − | Cory Scott, ABN AMRO
| |
| − |
| |
| − | A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.
| |
| − |
| |
| − | ==== Chicago OWASP Chapter Leaders ====
| |
| − | | |
| − |
| |
| − | | |
| | __NOTOC__ | | __NOTOC__ |
| − | <headertabs/> | + | <headertabs /> |
| − | [[Category:OWASP Chapter]]
| |
| − | [[Category:Illinois]]
| |
Anyone in our area interested in application security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
