|
|
(93 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | {{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto: [email protected] Aaron Weaver] and [mailto: darian@ criticode.com Darian Patrick] | + | {{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto: [email protected] Aaron Weaver] , [mailto: john.kh.baek@ gmail.com John Baek] and [mailto: evan. oslick@owasp.org Evan Oslick]. |
− | <paypal>Philadelphia</paypal>
| |
− | |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}
| |
| | | |
− | == Next Meeting: '''Thursday, December 3rd, 2009 6:30pm - 8:30pm''' ==
| + | Follow us [https://twitter.com/phillyowasp @phillyowasp] |
− | '''OWASP Philly Meeting - University of Pennsylvania - Philadelphia'''
| |
| | | |
− | Come join us on Tuesday as we discuss web application security.
| + | |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}} |
− | | |
− | When: December 3rd, 2009 6:30pm - 8:30pm<br/>
| |
− | Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania<br/>
| |
− | 3330 Walnut St.
| |
− | Philadelphia, PA 19104
| |
− | | |
− | '''Agenda:'''<br>
| |
− | 1.) Opening Remarks<br>
| |
− | 2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane<br>
| |
− | 3.) TBD: Bruce Diamond<br>
| |
− | | |
− | [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104.&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Levine Hall]
| |
− | | |
− | | |
− | | |
− | '''Discovering PHP Vulnerabilities Via Code Auditing'''
| |
− | | |
− | Abstract: PHP provides an accessible, easy to use platform for developing dynamic
| |
− | web applications. As the number of web based applications grow, so too
| |
− | does the threat from external attackers. The open and global nature of
| |
− | the web means that web applications are exposed to attack from around
| |
− | the world around the clock. Automated web application vulnerability
| |
− | scanning technology is still very much in its infancy, and unable to
| |
− | identify complex vulnerabilities that could lead to complete server
| |
− | compromise. While intrusion detection systems prove very valuable in
| |
− | detecting attacks, the best way to prevent vulnerabilities is to engage
| |
− | in active code review. There are many advantages of direct code review
| |
− | over automated testing, from the ability to identify complex edge
| |
− | scenario vulnerabilities to finding non-exploitable flaws and fixing
| |
− | them proactively. Many vulnerabilities in PHP based web applications
| |
− | are introduced with common misuse of the language or misunderstanding of
| |
− | how functions can be safely utilized. By understanding the common ways
| |
− | in which vulnerabilities are introduced into PHP code it becomes easy to
| |
− | quickly and accurately review PHP code and identify problems. In
| |
− | addition to common problems, PHP includes some obscure functionality
| |
− | that can lead developers to unwittingly introduce vulnerabilities into
| |
− | their applications. By understanding the security implications of some
| |
− | common PHP functions, code reviewers can pinpoint the use of such
| |
− | functions in code and inspect them to ensure safety.
| |
− | | |
− | Speaker: Justin Klein Keane
| |
− | | |
− | Bio: Justin C. Klein Keane has over 8 years of experience in information
| |
− | security starting with his role as Editor in Chief of the Hack in the
| |
− | Box e-zine. Currently Justin works as in Information Security
| |
− | Specialist with the University of Pennsylvania School of Arts and
| |
− | Sciences' Information Security and Unix Systems group. Justin's past
| |
− | work included several positions as a web application developer, often
| |
− | utilizing PHP. Justin is a regular contributer to the Full-Disclosure
| |
− | mailing list and is credited with dozens of vulnerability discoveries.
| |
− | Justin holds several ethical hacking and penetration testing
| |
− | certifications and regularly posts computer security related articles on
| |
− | his website www.MadIrish.net.
| |
− | | |
− | ----
| |
− | | |
− | == Previous Meeting: '''October 27th, 2009 6:00pm - 9:00pm''' ==
| |
− | '''OWASP Philly Meeting - Comcast - Philadelphia'''
| |
− | | |
− | <b>Presentations:</b><br>
| |
− | [http://www.owasp.org/images/7/79/Agile_Practices_and_Methods.ppt Agile Practices and Methods]<br>
| |
− | [http://www.owasp.org/images/d/d0/OWASP-AJAX-Final.ppt AJAX Security]<br>
| |
− | [http://www.owasp.org/images/0/06/Adobe_AMF.ppt Adobe AMF]<br>
| |
− | | |
− | '''Sponsor:'''
| |
− | [[Image:comcastlogo.gif]]
| |
− | | |
− | When: October 27th, 2009 6:00pm - 9:00pm
| |
− | Where: Floor (TBD), Comcast, 1701 John F Kennedy Blvd Philadelphia, PA 08054
| |
− | | |
− | '''Agenda:'''<br>
| |
− | 1.) OWASP Meeting Opening Remarks: Bruce A. Kaalund Director, Product Security<br>
| |
− | 2.) Development Issues Within AJAX Applications: How to Divert Threats: Tom Tucker, Cenzic<br>
| |
− | 3.) Agile Software Development Principles and Practices : Ravindar Gujral, Agile Philadelphia<br>
| |
− | 4.) Testing Adobe Flex/SWF's, focusing on flash remoting (AMF): Aaron Weaver, Pearson eCollege<br>
| |
− | | |
− | [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1701+John+F+Kennedy+Blvd+philadelphia&sll=39.954255,-75.16839&sspn=0.006908,0.013711&ie=UTF8&hq=&hnear=1701+John+F+Kennedy+Blvd,+Philadelphia,+Pennsylvania+19103&ll=39.956185,-75.168393&spn=0.006908,0.013711&t=h&z=16&iwloc=A Directions to Comcast]
| |
− | | |
− | | |
− | | |
− | '''Development Issues Within AJAX Applications: How to Divert Threats'''
| |
− | | |
− | Speaker: Tom Tucker
| |
− | | |
− | Bio: Tom Tucker has over 25 years of experience within the enterprise hardware, software, network, and security market. As a Senior Systems Engineer at Cenzic, Tom works directly with customers to protect their Web applications from hacker attacks. Previously Tom's worked with Tier 1 and Tier 2 Network Service Providers such as BBN, GTE, AT&T, iPass, New Edge Networks and MegaPath Networks, designing firewall, VPN, WAN, LAN and Hosting solutions. Tom was also the Director of Intranet Engineering for Associates Information Services (now a part of Citigroup) implementing secure Internet technology solutions for both internal and external application delivery.
| |
− | | |
− | | |
− | ----
| |
− | | |
− | == Previous Meeting: '''Wednesday June 24th 2009, 6:30 PM - 8:00 PM''' ==
| |
− | '''OWASP Philly Meeting - AccessIT Group - King of Prussia'''
| |
− | | |
− | Pizza provided by AccessIT Group.
| |
− | | |
− | '''Sponsors:'''
| |
− | [[Image:Logo_accessitgroup.gif]][[Image:Sanslogo_vertical.jpg]]
| |
− | | |
− | '''Agenda:'''<br>
| |
− | 1.) OWASP Introduction<br>
| |
− | 2.) How to Analyze Malicious Flash Programs - Lenny Zeltser<br>
| |
− | 3.) OWASP .NET, OWASP Report Generator,OWASP Cryttr/Encrypted Syndication - Mark Roxberry<br>
| |
− | | |
− | [http://atlas.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=Access+It+Group+Inc&address=2000+Valley+Forge+Cir&city=King+of+Prussia&state=PA&zipcode=19406 Directions]
| |
− | | |
− | 2000 Valley Forge Circle<br>
| |
− | Suite 106<br>
| |
− | King of Prussia, PA 19406<br>
| |
− | | |
− | AccessIT Group is located in the 2000 Building (middle building) of the Valley
| |
− | Forge Towers. The offices are located on the bottom floor of the
| |
− | building. Parking is available in the front or rear of the building.
| |
− | | |
− | '''How to Analyze Malicious Flash Programs'''
| |
− | | |
− | by Lenny Zeltser (http://www.zeltser.com)
| |
− | | |
− | '''About the talk:'''
| |
− | Attackers increasingly use malicious Flash programs, often in the form of banner ads, as initial infection vectors. Obfuscation techniques and multiple Flash virtual machines complicate this task of analyzing such threats. Come to learn insights, tools and techniques for reverse-engineering this category of browser malware.
| |
− | | |
− | '''Bio:'''
| |
− | Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. You can stay in touch with him via http://twitter.com/lennyzeltser.
| |
− | | |
− | '''OWASP .NET, OWASP Report Generator, OWASP Cryttr / Encrypted Syndication'''
| |
− | | |
− | by Mark Roxberry
| |
− | | |
− | About the talk: Mark is looking to generate some interest in participating in OWASP projects. He will be speaking about projects that he is involved in and hoping to recruit folks who have time, energy and motivation to help out.
| |
− | | |
− | Bio: Mark Roxberry is a frequent contributor of research and code to OWASP. His credits include OWASP Testing Guide contributor and reviewer, the OWASP .NET Project Lead, the OWASP Report Generator Lead and just recently the OWASP Encrypted Syndication Lead. He is a Senior Consultant at Database Solutions in King of Prussia. Mark has a B.S. in Russian Technical Translation from the Pennsylvania State University and has the CEH and CISSP certificates hanging in his bunker where he tries to figure out how to hack into Skynet when it comes online.
| |
− | | |
− | == Previous Meetings ==
| |
− | | |
− | Next Meeting: <br>'''October 28th 2008, 6:30 PM - 8:00 PM'''
| |
− | <br>OWASP Philly Meeting - Protiviti - Two Libery Place Philadelphia
| |
− | | |
− | Come join us in Philadelphia as we discuss web application security.
| |
− | | |
− | '''Agenda:'''<br>
| |
− | 1.) Web Application Security and PCI requirements (V 1.1 and 1.2)<br>
| |
− | 2.) Clickjacking: What is it and should we be concerned about it?<br>
| |
− | 3.) Summary of OWASP conference in New York.
| |
− | | |
− | [Google Directions][http://maps.google.com/maps?q=50+South+16th+St+Philadelphia,+PA&ie=UTF-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&sa=X&oi=geocode_result&resnum=1&ct=title]
| |
| | | |
− | Two Libery Place 50 South 16th St<br>
| + | <meetup group="OWASP-Philadelphia" /> |
− | Suite 2900<br>
| |
− | Philadelphia, PA 19102 USA<br> | |
| | | |
| [[Category:Pennsylvania]] | | [[Category:Pennsylvania]] |