This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Austin"

From OWASP
Jump to: navigation, search
m (Removing RSVP link from 01/2020 HH)
 
(820 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Austin|extra=The chapter leadership includes: [mailto:josh.sokol@ni.com Josh Sokol, President], [mailto:wickett@gmail.com James Wickett, Vice President], [mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair], [mailto:ggenung@denimgroup.com Greg Genung, Membership Chair], and the former chapter president is [mailto:cdewitt@indepthsec.com Cris Dewitt]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-austin|emailarchives=http://lists.owasp.org/pipermail/owasp-austin}}
+
{{Chapter Template|chaptername=Austin|extra=The chapter leadership includes: Kyle Smith, Chapter Leader (see [https://www.owasp.org/index.php/Austin#tab=Chapter_Leadership Chapter Leadership] for full listing of Austin Chapter leadership team).
 +
<br>
 +
[https://groups.google.com/a/owasp.org/forum/#!forum/austin-chapter/join Join OWASP Austin mailing list] to receive notifications of local events.
 +
|mailinglistsite=https://groups.google.com/a/owasp.org/forum/#!forum/austin-chapter/join|emailarchives=http://lists.owasp.org/pipermail/owasp-austin}}  
 +
<br><br>
  
[http://austinowasp.ning.com/ Austin OWASP Ning Site]
+
=Upcoming Events=
  
==== Chapter Meetings ====
+
==Listing of Upcoming Events==
  
'''When:''' March 30, 2010, 11:30am - 1:00pm  
+
=== Austin Chapter Meeting, January 28, 2020 ===
 +
'''When:''' Tuesday, January 28th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' OWASP Austin CryptoParty!<blockquote>In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.</blockquote><blockquote>In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.</blockquote><blockquote>The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.</blockquote><blockquote>Please contact [[[email protected]]] to be added to the list!</blockquote>'''Speaker:''' Josh Sokol and others
 +
 
 +
RSVP: https://owasp-austin-2020-january.eventbrite.com
 +
 
 +
[[#Upcoming Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Sonatype and NowSecure, February 13, 2020 ===
 +
 
 +
'''When:'''  Thursday, February 13th, 5:30 pm - 7:30 pm
 +
 
 +
'''Where:''' Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758 (across from the iPic Theaters).  We meet in the separate room inside the bar, to the left as you enter.  Parking: Park in either parking garages to the left or right of iPic ([https://www.simon.com/mall/the-domain/map/#/location/the-brass-tap map of Domain]).
 +
 
 +
'''What:''' The Austin Security Professionals Happy Hour is a monthly event coordinated by the Austin OWASP and Capital of Texas ISSA Chapters and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation.
 +
 
 +
'''Sponsor:''' Sonatype and NowSecure
 +
 
 +
[[#Upcoming Events|Back to Top]]
 +
 
 +
=Study Groups=
 +
 
 +
==Our Study Groups==
 +
[[File:OWASP Austin Study Group sm.png|130px|right|OWASP Austin Study Group]]
 +
The '''OWASP Austin Study Group''' is intended to provide an organized gathering of like-minded IT professionals who want to learn more about application security.  This is done through mini-discussions, demos, presentations, and series of meetings to cover more involved topics (i.e. book topics).  Generally the topics will be participant-led, meaning that attendees will volunteer their time to present or lead a discussion, whether a one-time presentation of a topic they wish to review or need help with, or walk through topics of a particular chapter of a book being covered.  There will still be OWASP leadership involved with scheduling and such, but the idea is to get a better “hands-on” approach to create a more productive learning environment.  We learn more when we are involved. 
 +
 
 +
----
 +
 
 +
'''Windows PowerShell'''
 +
 
 +
The current study group is currently doing CTFs and other online events.
 +
 
 +
'''Additional Information:''' If any questions related to the study group, please contact the Education Coordinator, Matt Pardo, matt (dot) pardo (at) owasp (dot) org.
 +
 
 +
----
 +
 
 +
=== Previous Study Group Topics ===
 +
 
 +
* "Certified Cloud Security Professional (CCSP)" study using the CSP Certified Cloud Security Professional All-in-One Exam Guide (1st Edition) book (Slack #cloud_security_study)
 +
* "Certified Ethical Hacker" book
 +
* "Visible Ops Security" book by Gene Kim
 +
* "Metasploit: The Penetration Tester’s Guide” book by David Kennedy
 +
* "Wireshark 101: Essential Skills for Network Analysis" book by Laura Chappell and Gerald Combs
 +
* “Web Application Defender's Cookbook: Battling Hackers and Protecting Users” book by Ryan C. Barnett and Jeremiah Grossman
 +
* “The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws” book by Dafydd Stuttard and Marcus Pinto
 +
* "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" book (using Security Onion) by Richard Bejtlich
 +
* "The Browser Hacker's Handbook" book by Wade Alcorn, Christian Frichot, and Michele Orru
 +
* "Snapshot - Reading and Treating People Right the First Time" book by Dan Korem
 +
 
 +
=Past Meetings and Events=
 +
==Listing of Past Meetings and Events==
 +
[[#2020|2020]] | [[#2019|2019]] | [[#2018|2018]] | [[#2017|2017]] | [[#2016|2016]] | [[#2015|2015]] | [[#2014|2014]] | [[#2013|2013]] | [[#2012|2012]] | [[#2011|2011]] | [[#2010|2010]] | [[#2009|2009]] | [[#2008|2008]] | [[#2007|2007]] | [[#2006|2006]]
 +
 
 +
----
 +
 
 +
==2020==
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Pure Storage, January 9, 2020[edit | edit source] ===
 +
'''When:''' Thursday, January 9th, 5:30 pm - 7:30 pm
 +
 
 +
'''Where:''' Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758 (across from the iPic Theaters). We meet in the separate room inside the bar, to the left as you enter. Parking: Park in either parking garages to the left or right of iPic ([https://www.simon.com/mall/the-domain/map/#/location/the-brass-tap map of Domain]).
 +
 
 +
'''What:''' The Austin Security Professionals Happy Hour is a monthly event coordinated by the Austin OWASP and Capital of Texas ISSA Chapters and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation.
 +
 
 +
'''Sponsor:''' Pure Storage<blockquote>''Here at Pure Storage, we know security isn’t a single-point solution that you buy and implement – it’s an ongoing effort that comprises people, processes, policies and technologies that work together to secure the enterprise. We help make that easier for you by integrating two fundamental features into our systems. First, we secure data at rest with Federal Information Processing Standards (FIPS) 140-2-certified Advanced Encryption Standard (AES) 256. The management of these encryption keys is completely self-contained and requires no external manipulation. Even more importantly, the encryption process is in-line with the data processing, and has no impact to performance. Second, we monitor access and functions based on specific account privileges (RBAC), restrict external connections to the system and require complex passwords. All of this has been certified using the most stringent government guidelines, and resulted in our National Information Assurance Partnership (NIAP) Common Criteria Certification.'''''Pure Storage will have a drawing for a $100 gift card ... must be present to win.'''</blockquote>
 +
==2019==
 +
----
 +
 
 +
=== LASCON X ===
 +
 
 +
'''When:''' Tuesday & Wednesday, October 22-23, 2019 (Pre-Conference Training), Thursday & Friday, October 24-25, 2019 (Conference Sessions)
 +
 
 +
'''Where:''' Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 +
 
 +
We had a great time celebrating our 10th year anniversary of LASCON. Many thanks to those who attended!
 +
 
 +
[https://lasconx2019.sched.com Schedule]
 +
 
 +
[https://lascon.org/past-lascon/ Videos of presentations (to be made available soon)]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, September 24, 2019  ===
 +
 
 +
'''When:''' Tuesday, September 24th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices
 +
 
 +
<blockquote>OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each scoped to the type of client obtaining authorization and the type or types of resource owners that must grant access. Diverging from these defined scopes can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.</blockquote>
 +
 
 +
'''Speaker:''' Pak Foley
 +
 
 +
<blockquote>Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular, he has spent much of his time seeking out and mitigating vulnerabilities from misimplemented OAuth solutions and contributed to the open source Rails OAuth provider, Doorkeeper. His passion for securing web applications has prompted his recent move from IAM to security.</blockquote>
 +
 
 +
[https://zoom.us/recording/play/8IU4z0WhqnXu3BiTolHYV5_1Fw2DY60BRFtKuhmG1_pl4jEi6GZAgr-f6GBSViuF?autoplay=true&startTime=1569343956000 Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Synack, September 12, 2019 ===
 +
 
 +
'''When:'''  Thursday, September 12th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' Synack
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, August 27, 2019 ===
 +
 
 +
'''When:''' Tuesday, August 27th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin TX 78757
 +
 
 +
'''Title:''' A Standards-Based Approach to Assessing Your Organization's Cybersecurity Maturity
 +
 
 +
<blockquote>We were tasked with creating a roadmap for the National Instruments Information Security Program. While we had previously used a Gartner Maturity Model to figure out how far along our organization was, we found their recommendations to be too high level to define an actionable roadmap. After some discussion, we determined that we could use the NIST Cybersecurity Framework to not only assess our maturity, but also define risk in our environment, and create a roadmap. This talk will not only show you how we did it, but how you can do it too!</blockquote>
 +
 
 +
'''Speaker:''' Josh Sokol and Alex Polimeni
 +
 
 +
<blockquote>Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and recently completed a four year term serving on the OWASP Global Board of Directors.</blockquote>
 +
 
 +
<blockquote>Alex Polimeni runs the IT Compliance program at National Instruments. He gave his first security talk at BSides Austin in 2019 and is excited about sharing his experience with the OWASP crowd. He is a former boxer and once got stuck in a cave.</blockquote>
 +
 
 +
[https://zoom.us/recording/play/QvGcb_Tt3LGxreBX7RBl8qKM82Tp7jR0cw8NJ4mrxBkHnHSCuUrfDDSaYdgTY8iw Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, July 30, 2019 ===
 +
 
 +
'''When:''' Tuesday, July 30th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Data Loss Prevention
 +
 
 +
<blockquote>Data is being produced and consumed at an exponentially increasing rate by organizations and individuals. Can firewalls truly prevent the loss, misuse, or unauthorized access of the sensitive data? What are the standard methods for Data Loss Prevention? Who needs them? Are there any methods overlooked or underutilized? Why should a DLP strategy be the top priority for the organization?.</blockquote>
 +
 
 +
'''Speaker:''' Shirish Patil
 +
 
 +
<blockquote>Shirish Patil has over 20 years of experience leading and implementing enterprise data management and architecture solutions for public and private sector organizations. His focus has been on enterprise wide information and data management strategy, data architecture, data governance, data quality, data modeling, database performance and business intelligence capabilities. Shirish is based in Austin, Texas with vast experience in IT and management consulting, has been leveraging data, technologies and common sense to create strategies and solutions to achieve organizational goals for clients. . Shirish is a consulting Lead Enterprise Data Architect in Advanced Digital Technology and Analytics group at Grant Thornton in Austin TX on defining their Enterprise Information and Data Management Strategy for short term and long term. As a Lead Enterprise Data Architect at Sitek Inc., an IT consulting and Services firm, Shirish has designed and architected several data-centric solutions for Texas Health and Human Services Commission (HHSC) and Duke Energy. The solutions were wide ranged starting from basic database designs to laying the foundation for application scalability to enterprise wide data initiatives and strategy for one of the largest Integrated Eligibility application in United States. Previous to engaging with Sitek Inc., Shirish has consulted for Verizon Wireless and Deloitte. Before his time with these organizations, Shirish has worked for European analytics and regulatory reporting firm FRSGlobal and major US lending company Mortgage Cadence through their partner firms. Shirish developed and managed regulatory reports, database platform migration and enhanced performance of the database design for these organizations and was recognized for the leadership and ability to execute with innovative approaches to database management. Shirish has presented at many international conferences as a keynote speaker on data management and data security topics. He currently serves on Editorial Board, Technical Program Committee and Reviewer for several international journals and conferences on Databases and Data Mining, Database Management Systems, Computer Science, Cyber Security, Information Technology and Software Engineering.</blockquote>
 +
 
 +
[https://zoom.us/recording/play/MzcZltIStcziOVyN4rql4uDvSV1dVECdbI_crQU0qtCRgA5tAbSzBWIeJYGFgFTC?autoplay=true Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Contrast Security, July 11, 2019 ===
 +
 
 +
'''When:'''  Thursday, July 11th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759.
 +
 
 +
'''Sponsor:''' Contrast Security
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, June 25, 2019 ===
 +
 
 +
'''When:''' Tuesday, June 25th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Passwords are Secure
 +
 
 +
<blockquote>Do passwords really work? Can they? What are the alternatives? This talk will be a conversation about alternatives, and an open interchange of ideas. Everyone knows passwords are very difficult for users to deal with.</blockquote>
 +
 
 +
'''Speaker:''' Dovell Bonnett – “The Password Guy”
 +
 
 +
<blockquote>Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.</blockquote>
 +
<blockquote>He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.</blockquote>
 +
<blockquote>In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is an Identity Management solution that combines Multi-Factor Authentication and enterprise password management. Power LogOn is used by corporations, hospitals, educational institutions, police departments, government agencies, and more around the world.</blockquote>
 +
<blockquote>Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity and his new social media column is the Guardians of the Gateway..</blockquote>
 +
 
 +
[https://zoom.us/recording/play/AjW2JxR1CqCLDTC4yqCGEgPgVhVhtGcqpATOrYiiD3JsLus96FGjwr5iV7yrQjGx Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, May 28, 2019 ===
 +
 
 +
'''When:''' Tuesday, May 28th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Schrodinger's SOC - The Human Element of Information Security
 +
 
 +
<blockquote>People are what drive security, elements of that include: salary, innovation, mission, education and peace of mind. Security as a career field is exhausting, even straining, leaders in these spaces need to ask and listen to their practioners. Anecdoctally: I've witnessed security organizations ignored, however praised by leadership for their work. Thus, does the security operation exist? Or is too much of a cost center? How can leaders utilize their security assets for organizational and personnel growth? How can the security worker look towards a better work/life balance? </blockquote>
 +
 
 +
'''Speaker:''' Ricky Banda
 +
 
 +
<blockquote>Security professional with 8 years of experience in the field, 12 IT/Security certifications, 25 years old. Professional career began as a DoD intern for the 24th Air Force at age 17, due to success with the Cyber Patriot program. Recognized by the state of Texas, and outspoken volunteer for public education cybersecurity initiatives. Specialty in incident handling, security architecture, and forensic analysis.</blockquote>
 +
 
 +
[https://zoom.us/recording/share/NOjeiXhu554ntks0GuxZEUciEOQaJ1y07l8jq9hCGKOwIumekTziMw Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Qualys, May 9, 2019 ===
 +
 
 +
'''When:'''  Thursday, May 9th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' Qualys
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, April 30, 2019 ===
 +
 
 +
'''When:''' Tuesday, April 30th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Securing AWS: A Real-World Case Study
 +
 
 +
<blockquote>Using cloud first governance driven approach to reduce and mitigate risks managing privileged access and identities in an AWS environment, we’ll review a real world example how a Fortune 500 company how they perform:
 +
 
 +
* Management of privileged access to AWS workloads
 +
* Real-time monitoring and enforcement of baseline security policies on their AWS infrastructure
 +
* Access visibility’ of federated identities to AWS Objects’ on a periodic basis with continuous compliance controls
 +
* Periodic certification process for critical resources hosted in their AWS ecosystem to ensure only authorized individuals have access to their AWS ecosystem
 +
* AWS Role lifecycle management and governance</blockquote>
 +
 
 +
'''Speaker:''' Diana Volere
 +
 
 +
<blockquote>Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals.  In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to help them derive business value from technical capabilities.  Her past twenty years have been spent in product and services organizations in the IAM space.  Outside of work she loves travel, gastronomy, sci-fi, and most other activities associated with being a geek.</blockquote>
 +
 
 +
[https://zoom.us/recording/share/UOMi-M9PQi4AG3qS30RrmqX-aIiJ1ohJxYW19bm9tgOwIumekTziMw?startTime=1556643332000 Zoom Video]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, March 26, 2019 ===
 +
 
 +
'''When:''' Tuesday, March 26th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Browser Hardening, Personal Security and Privacy Measures
 +
 
 +
<blockquote>In this day and age, it is becoming increasingly difficult to stay secure and private online. In this talk, we will show you how to harden your browser, along with a set of best practices aimed at improving one's security and privacy.</blockquote>
 +
 
 +
'''Speaker:''' Héctor Quartino
 +
 
 +
<blockquote>Héctor is the manager of the Product Security Engineering team at Oracle+NetSuite. He has been a software developer for more than 15 years in multiple technologies (Java, .NET and Web).</blockquote>
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, February 26, 2019 ===
 +
 
 +
'''When:''' Tuesday, February 26th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Angular for AppSec Professionals
 +
 
 +
<blockquote>One of the most popular web frameworks is Angular. While you don't need to become an expert in new JavaScript frameworks to be able to conduct successful assessments of Angular applications, knowing the fundamentals and building blocks of that framework can definitely give you an advantage during the initial phases of an application security assessment. This talk aims to introduce application security professionals to the basics of AngularJS and Angular applications from a security standpoint. We will also demonstrate how to dynamically debug Angular code from the browser console. This allows us to change the behavior on an application by manipulating Angular components. With that knowledge in hand, we can start conducting a more in-depth analysis of Angular based applications.</blockquote>
 +
 
 +
'''Speaker:''' Alex Useche
 +
 
 +
<blockquote>Alex is an Application Security Consultant at nVisium and has over 12 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked with and architected mobile and web applications in a wide range of languages and frameworks, including Angular, .NET and Django. While his expertise is in application security, Alex also has experience conducting penetration tests of internal and external networks. In his previous position, Alex led several projects aimed at building secure coding and DevOps processes for a mid-sized consultancy agency, as well as automating security analysis tasks. Alex has a Bachelors in Information Technology and a Masters in Software Engineering. He has also conducted and published research on artificial intelligence technologies. Alex is actively working on developing security tools written in Go and participating in various bug bounties.</blockquote>
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Secure | Austin, February 7, 2019 ===
 +
 
 +
'''When:'''  Thursday, February 7th, 6:00 pm - 8:30 pm
 +
 
 +
'''Where:''' 77º Rooftop Bar, 11500 E Rock Rose Ave, Austin, TX 78758
 +
 
 +
'''Sponsor:''' Secure | Austin.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, January 29, 2019 ===
 +
 
 +
'''When:''' Tuesday, January 29th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' OWASP Austin CryptoParty!
 +
* Introduction (Josh Sokol)
 +
* Phone as Security: the trifecta of Signal, Password Manager, and MFA (Dan Ehrlich)
 +
* Hardware Security Keys (Ryan Breed)
 +
* You are the captain of your Data (Shirish Patil)
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
----
 +
 
 +
==2018==
 +
----
 +
 
 +
=== LASCON 2018 ===
 +
 
 +
'''When:''' Tuesday & Wednesday, October 23-24, 2018 (Training Days), Thursday & Friday, October 25-26, 2018 (Conference Sessions)
 +
 
 +
'''Where:''' Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 +
 
 +
'''What:''' The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
 +
 
 +
[https://lascon.org/lascon2018/ Presentations and other information]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, September 25, 2018  ===
 +
 
 +
'''When:''' Tuesday, September 25th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Scaling Your Cyber Security Threat Modeling
 +
 
 +
<blockquote>There are two schools of thought around threat modeling. One school advocates the creation of attack trees and data flow diagrams. This requires extensive, cross-functional, security skills and is not a scalable approach. The other school encourages organic insertion of defenses based only on current context without “boiling the ocean”. This lack of systems thinking leaves applications vulnerable as exploits in a weaker component can open the door to critical systems.
 +
 
 +
Part of the problem is threat modeling today is largely an art. We need to inject more science in this domain and derive a repeatable and auditable approach that maps to risk. Such a model should abstract away the non-scalable elements and still provide a high degree of assurance in today’s faster velocity business context.
 +
 
 +
This presentation will outline a threat modeling framework that abstracts traditional methods into systems, data, and people components. You will come away with an approach that takes away some of the scalability problems of traditional threat modeling, yet provides sufficient rigor and systems thinking to help manage risk.</blockquote>
 +
 
 +
'''Speaker:'''  Pranoy De - Software Engineer
 +
 
 +
<blockquote>Pranoy currently works as a backend developer at Security Compass, helping to develop industry-leading application security products. Over the years, Pranoy has taken on a variety of roles, which included working as a software consultant, working as a network engineer, and writing software for the VFX industry.
 +
 
 +
As a network engineer, Pranoy has primarily spent his time developing and conducting planned DDoS attacks for companies testing their defenses. This was his first position in the world of cybersecurity, and it eventually lead to his current role in application security.</blockquote>
 +
 
 +
[https://vimeo.com/293198117 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, September 13, 2018 sponsored by LOG-MD ===
 +
 
 +
'''When:'''  Thursday, September 13th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' Thanks to our last-minute sponsor, Michael Gough with LOG-MD.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, August 28, 2018  ===
 +
 
 +
'''When:''' Tuesday, August 28th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Deploying a Secure NodeJS app with Docker and Kubernetes
 +
 
 +
<blockquote>Learn how to secure a NodeJS application from development to production. We will walk you through best practices of developing a  NodeJS application with Docker and deploying it with Kubernetes while building security into each step of the process.</blockquote>
 +
 
 +
'''Speaker:'''  Brett Stewart
 +
 
 +
<blockquote>Brett Stewart is Co-Founder and CTO of truFable.  He has been a leader in the startup scene, previously serving as the lead software architect and advisor to CrowdFunder.com.  Brett has consulted for some of the top brands in the tech and media industry and has spoken at several DevOps and security events.  He works with organizations such as WeWork and Bunker Labs, assisting Veterans looking to take their tech startups to the next level.</blockquote>
 +
 
 +
[https://vimeo.com/293198477 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, July 31, 2018  ===
 +
 
 +
'''When:''' Tuesday, July 31st @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Introduction to Electron Security
 +
 
 +
<blockquote>Electron allows developers to build cross platform desktop apps with JavaScript, HTML, and CSS. Electron is a framework for creating native applications with web technologies. More and more companies such as Slack, Microsoft, and Docker have adopted Electron for desktop applications. This talk will go over the basics and the security implications.</blockquote>
 +
 
 +
'''Speaker:'''  Marcus J. Carey
 +
 
 +
<blockquote>Marcus J. Carey is the founder and CEO of Threatcare. He is a hacker who helps organizations build, measure, and maintain cybersecurity programs. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA).</blockquote>
 +
 
 +
[https://vimeo.com/282840714 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, July 12, 2018 sponsored by Rapid7 ===
 +
 
 +
'''When:'''  Thursday, July 12th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759 
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, June 26, 2018  ===
 +
 
 +
'''When:''' Tuesday, June 26th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' The State of DevSecOps
 +
 
 +
<blockquote>Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?</blockquote>
 +
 
 +
'''Speakers:'''  Ernest Mueller and James Wickett
 +
 
 +
[https://vimeo.com/277170461 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by SecureWorks, June 14, 2018 ===
 +
 
 +
'''When:'''  Thursday, June 14th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' SecureWorks
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, May 29, 2018  ===
 +
 
 +
'''When:''' Tuesday, May 29th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Trust: Designing Privacy, Consent, & Security into Your Products
 +
 
 +
<blockquote>Most software today collects and tracks as much data as possible with no concern for privacy or user consent. Consumers and regulations are starting to demand change. It's time to focus on building trust with our users. Our products should collect only what data is necessary, should always receive consent before collecting data, and should have proper security in place to protect collected data.</blockquote>
 +
 
 +
'''Speaker:'''  Taylor McCaslin
 +
 
 +
<blockquote>Taylor McCaslin is a multi-disciplinary technologist and Product Manager living in Austin, Texas. He currently works as a Mobile Product Manager at Duo Security. Taylor is an advocate and defender of privacy, consent, and inclusion.
 +
 
 +
Taylor graduated from The University of Texas at Austin, where he studied business, theatre, computer science, and digital art & media. For the past 6 years, he’s worked at enterprise-scale, hyper-growth technology companies including WP Engine, Indeed.com, and Bazaarvoice. Taylor also enjoys volunteering with local human rights and LGBTQ organizations around central Texas.
 +
 
 +
https://www.taylormccaslin.com/ <br />
 +
https://www.linkedin.com/in/taylormccaslin <br />
 +
https://twitter.com/digital_SaaS
 +
</blockquote>
 +
 
 +
[https://vimeo.com/272435875 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by DirectDefense, May 10, 2018 ===
 +
 
 +
'''When:'''  Thursday, May 10th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' DirectDefense
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, April 24, 2018 ===
 +
 
 +
'''When:''' Tuesday, April 24th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Cloud Jacking
 +
 
 +
<blockquote>Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.</blockquote>
 +
 
 +
'''Speaker:'''  Bryan McAninch
 +
 
 +
[https://vimeo.com/266416831 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Cisco, April 12, 2018 ===
 +
 
 +
'''When:'''  Thursday, April 12th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' Cisco
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, March 27, 2018 ===
 +
 
 +
'''When:''' Tuesday, March 27th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Cryptocurrencies - More than just bubbles, money and Dogecoins
 +
 
 +
'''Speaker:'''  Arthur Kendrick
 +
 
 +
[https://vimeo.com/channels/owaspaustin/262482594 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Critical Start and Mimecast, March 7, 2018 ===
 +
 
 +
'''When:''' Wednesday, March 7th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:'''  Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Co-sponsors:''' Critical Start and Mimecast
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, February 27, 2018 ===
 +
 
 +
'''When:''' Tuesday, February 27th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' DevSecOps Unplugged (Results from our latest research on DevSecOps)
 +
 
 +
<blockquote>There is a confluence of forces that disrupt the ability for organizations to implement DevSecOps effectively. We continue to increase our dependence on software but teams are still relatively immature in developing securely. Our systems continue to grow exponentially complex. With IoT starting to take off, there is no clear industry vision for security these devices. Cybersecurity threats continue to rise. Even the most diligent teams find themselves subtly gaining technical debt because they are unable to do the job right.
 +
 +
This impact is felt across industries: telecommunications, financial, software development, transportation, and medical just to name a few. So what is our response as security professionals? We have software tools and databases like OWASP Top 10, CWE/CVE, SANS Top 25 and so on. But what we need is a set of patterns and anti-patterns on implementing DevSecOps.
 +
 +
Our talk will highlight what we’ve observed in conducting research from Tier 1 peer reviewed articles from 2016 to the present. We will present what seems to be emerging as a set of best practices as well as anti-patterns in DevSecOps.</blockquote>
 +
 
 +
'''Speaker:'''  Altaz Valani
 +
 
 +
[https://vimeo.com/channels/owaspaustin/262482415 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by RSA, February 8, 2018 ===
 +
 
 +
'''When:'''  Thursday, February 8th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
 +
 
 +
'''Sponsor:''' RSA
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, January 23, 2018 ===
 +
 
 +
'''When:''' Tuesday, January 23rd @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' CryptoParty
 +
 
 +
<blockquote>In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars.  We must be free to communicate and associate without fear.</blockquote>
 +
 
 +
<blockquote>To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions.  CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online.  Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.</blockquote>
 +
 
 +
<blockquote>The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.</blockquote>
 +
 
 +
'''Speakers:'''  Josh Sokol, Bankim Tejani, Dave Sanford, David Vas, Michael Marotta, and Nate Sanders
 +
 
 +
[https://vimeo.com/channels/owaspaustin/254361873 Vimeo]
 +
 
 +
Presentation slides:
 +
* [https://www.owasp.org/images/a/ac/OWASP-Austin-Mtg-2018Jan-CryptoParty-Josh-Sokol.pdf Josh Sokol - Introduction]
 +
* [https://www.owasp.org/images/c/ca/OWASP-Austin-Mtg-2018Jan-CryptoParty-Bankim-Tejani.pdf Bankim Tejani - Secure Communication and Data Sharing with PGP]
 +
* [https://www.owasp.org/images/8/89/OWASP-Austin-Mtg-2018Jan-CryptoParty-Dave-Sanford.pdf Dave Sanford - Decentralized IDs and Verifiable Claim]
 +
* [https://www.owasp.org/images/8/8b/OWASP-Austin-Mtg-2018Jan-CryptoParty-Michael-Marotta.pdf Michael Marotta - Charles Babbage: Codebreaker]
 +
* [https://www.owasp.org/images/9/9e/OWASP-Austin-Mtg-2018Jan-CryptoParty-David-Vas.pdf David Vas - Zero Knowledge Bets]
 +
* [https://www.owasp.org/images/1/1a/OWASP-Austin-Mtg-2018Jan-CryptoParty-Nate-Sanders.pdf Nate Sanders - Keybase]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
----
 +
 
 +
==2017==
 +
----
 +
 
 +
=== LASCON 2017 ===
 +
 
 +
'''When:''' Tuesday & Wednesday, October 24-25, 2017 (Training Days), Thursday & Friday, October 26-27, 2017 (Conference Sessions)
 +
 
 +
'''Where:''' Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 +
 
 +
'''What:''' The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
 +
 
 +
[https://lascon.org/lascon2017/ Presentations and other information]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, September 26, 2017 ===
 +
 
 +
'''When:''' Tuesday, September 26th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' How to create Purple Team Exercises, using the Cyber Kill Chain and Extended CKC as a framework
 +
 
 +
<blockquote>Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. You don’t necessarily need a ‘red team’, anyone can do it. This talk will show how to build and plan cyber exercises, using the Cyber Kill chain and Extended Cyber Kill Chain as a framework.</blockquote>
 +
 
 +
'''Speaker:''' Haydn Johnson
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, September 14, 2017 ===
 +
 
 +
'''When:'''  Thursday, September 14th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
 +
 
 +
'''Sponsor:''' Contrast Security
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, August 29, 2017 ===
 +
 
 +
'''When:''' Tuesday, August 29th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs
 +
 
 +
<blockquote>You can ignore the Blockchain hype for identity solutions, it is superb marketing; but suboptimal technology. You can also ignore biometrics for a spell. Instead, the real breakthroughs, especially in authentication, will be based on elegant math and crypto, e.g., Zero-Knowledge Proofs (ZKP). These have the added benefit of being privacy-preserving, and amenable to user control of identity attributes. ZKP has been identified as a category for many other solutions in the future, not just identity. Conceived at MIT in 1985 by Shafi Goldwasser, ZKP is still young. You will see it in many other contexts as appreciation and recognition evolves.</blockquote>
 +
 
 +
'''Speaker:''' Clare Nelson, CISSP, CIPP/E
 +
 
 +
<blockquote>Clare's focus combines security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of EU regulations including GDPR and PSD2.</blockquote>
 +
 
 +
<blockquote>Clare’s early technical background includes software development of encrypted TCP/IP variants for NSA. She has held leadership positions in product management, marketing, and technology for companies including EMC2, Dell, Novell, and TeaLeaf Technology (IBM).</blockquote>
 +
 
 +
<blockquote>Clare is a co-founder of the mentoring organization, C1ph3r_Qu33ns. She headed ClearMark Consulting for 14 years, and she is currently Director, Office of the CTO at AllClear ID.  She has a B.S. in Mathematics from Tufts University, and is a lifelong fitness enthusiast.</blockquote>
 +
 
 +
[https://vimeo.com/channels/owaspaustin/231902811 Vimeo]  (apologies for the low audio)
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, August 10, 2017 ===
 +
 
 +
'''When:'''  Thursday, August 10th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, July 25, 2017 ===
 +
 
 +
'''When:''' Tuesday, July 25th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Frontline Web App Security
 +
 +
<blockquote>According to the Verizon DBIR (Data Breach Investigation Report) for 2016, web application attacks are the #1 source of data breaches. Web applications account for only 8 percent of overall reported incidents. However, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.</blockquote>
 +
 
 +
<blockquote>With those threats in mind, it has never been more important to ensure that companies have visibility into what is happening with their web apps. The most effective way to address application flaws and preemptively block unknown attacks is to have a close relationship with your web application firewall.</blockquote>
 +
 
 +
<blockquote>Static, signature based blocking is not enough to address never before seen attacks. In this talk, we will walk through scenarios that we have observed, talk about coding practices that enable your web app to be secured, and describe the steps that are taken to defend against critical web applications attacks.</blockquote>
 +
 
 +
'''Speakers:''' Paul Scott and Jason Payne
 +
 
 +
<blockquote>Paul Scott is an OWASP Houston chapter leader and the Manager of Alert Logic’s Web Application Security Team.  Jason Payne ran the Alert Logic Global Security Operations Center for nearly a decade and is now engineering solutions to defend systems, networks, and application on premises and in the cloud.</blockquote>
 +
 
 +
[https://vimeo.com/channels/owaspaustin/231902836 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, July 13, 2017 ===
 +
 
 +
'''When:'''  Thursday, July 13th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
 +
 
 +
'''Sponsor:''' Technology Navigators
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, June 27, 2017 ===
 +
 
 +
'''When:''' Tuesday, June 27th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Making Vulnerability Management Less Painful with OWASP DefectDojo
 +
 
 +
<blockquote>
 +
DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management with automation centered around templating, report generation, metrics, scanner consolidation, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to consolidate and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.
 +
</blockquote>
 +
 +
'''Speaker:''' Greg Anderson
 +
<blockquote>
 +
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. His recent work has focused on advanced security automation to get the most out of application security programs.
 +
Greg's previous work, which was featured at DEFCON, focused on unconventional attack vectors and how to maximize their impact while avoiding detection.
 +
 
 +
Greg is the creator of DefectDojo and was a Chapter Leader of OWASP San Antonio for two years. 
 +
 
 +
Feel free to chat him up about anything and everything.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/223334540 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, June 8, 2017 ===
 +
 
 +
'''When:'''  Thursday, June 8th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
 +
 
 +
'''Sponsor:''' Cyberbit
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, May 30, 2017 ===
 +
 
 +
'''When:''' Tuesday, May 30th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Annoying web app vulnerabilities: HTTP Request Smuggling, HTTP Response Splitting and Cross-Origin Resource Sharing Misconfigurations.
 +
 
 +
'''Part 1:'''
 +
<blockquote>
 +
'''Abstract:''' HTTP Request Smuggling is an attack capable of bypassing security protections and "poisoning the well" for caching web proxies. In this talk we'll be discussing attack scenarios and their security implications.
 +
 
 +
'''Speaker:''' Gabriel has been actively involved in the security industry since 2007 and currently holds the position of security analyst at Rapid7.
 +
</blockquote>
 +
 +
'''Part 2:'''
 +
<blockquote>
 +
'''Abstract:''' HTTP Response Splitting is a web application vulnerability that is often misunderstood, but can lead to a serious compromise. This talk will walk through the basics of Response Splitting, how an attack works, and what you can do to defend against it.
 +
 
 +
'''Speaker:''' Ben Columbus is a security analyst for Rapid7, who specializes in network and web application penetration testing. He has been working in security for the last eight years in various positions and was previously a penetration tester for the State of Texas.
 +
</blockquote>
 +
 +
'''Part 3:'''
 +
<blockquote>
 +
'''Abstract: '''The talk will provide information about headers used for Cross-Origin Resource Sharing (CORS) and how servers use these headers to communicate access policy to browsers. The possible security implications of misconfigured CORS headers will be discussed.
 +
 
 +
'''Speaker:''' Jacob enjoys learning about security vulnerabilities and their usage in the real world.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/219563653 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, May 3, 2017 ===
 +
 
 +
'''When:'''  Wednesday, May 3rd, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Mister Tramps Sports Pub and Cafe, 8565 Research Blvd, Austin TX 78758 (different location and date to coincide with BSides Austin) 
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, April 25, 2017 ===
 +
 
 +
'''When:''' Tuesday, April 25th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' The CISO Playbook
 +
 
 +
<blockquote>The era of CISO-as-dictator is at an end. Growing cybersecurity with the business can be tricky and requires security leaders to find ways to get to “yes” with the business. This session will cover solid tactics to lead successful change throughout your organization.</blockquote>
 +
 
 +
'''Speaker:''' John McLeod
 +
 
 +
<blockquote>John McLeod is the CISO at AlienVault, responsible for cyber security in the enterprise and their products. John is a former Air Force Special Agent with over 20 years of experience in information security including but not limited to criminal, counter-intelligence, fraud and computer crime investigations. Prior to joining Alienvault, he served as the Director of Information Security for National Oilwell Varco. His experience includes management roles for Halliburton, Mandiant, Guidance Software, and Mantech International. The US Intelligence community recognized him for his work in steganography. As a consultant, he responded to some of the highly publicized cyber-attacks, including: Moonlight Maze, Titian Rain, Night Dragon, TJX and Operation Aurora. He holds a B.S. in Information Systems Management from the University of Maryland University College, and M.S. in Network Security from Capitol College in Maryland. Additionally, he is a Certified Information Systems Security Professional (CISSP).</blockquote>
 +
 
 +
[https://vimeo.com/214731194 Vimeo] | [https://www.owasp.org/images/b/b5/OWASP-Austin-Chapter-2017-04_CISO-Playbook.pdf Presentation Slides]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, April 6, 2017 ===
 +
 
 +
'''When:'''  Thursday, April 6th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd). 
 +
 
 +
'''Sponsor:''' Amazon
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, March 28, 2017 ===
 +
 
 +
'''When:''' Tuesday, March 28th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' DevSecOps Lessons from Detroit to Deming
 +
 
 +
<blockquote>In 1982, the city of Detroit saw 15,000 vehicles roll off its production lines every day.  To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality.  At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality vehicles, for less cost, at higher velocity.  As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan.
 +
 
 +
The parallels between the auto industry of 35 years ago and software development practices in place today are remarkable.  DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities.
 +
 
 +
This session aimed to enlighten Security, DevOps,  and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation also revealed findings from the 2017 DevSecOps Community survey where over 2,200 professionals shared their experiences blending DevOps and security practices together.  Throughout the discussion, Derek shared lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today.
 +
</blockquote>
 +
 
 +
'''Speaker:''' Derek E. Weeks
 +
 
 +
<blockquote>After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into AppSec practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevSecOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation.  Derek is also the co-founder of the All Day DevOps conference and the lead researcher behind the annual State of the Software Supply Chain report.</blockquote>
 +
 
 +
[https://vimeo.com/210478219 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, March 9, 2017  ===
 +
 
 +
'''When''':  Thursday, March 9th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where''': Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd). 
 +
 
 +
'''Sponsor''': Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, February 28, 2017 ===
 +
 
 +
'''When:''' Tuesday, February 28th @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Building and Breaking Password Reset Mechanisms
 +
 
 +
<blockquote>It happens to everyone, you forgot your password. Now you need to get back into your account and prove you are who you say, but without using your password as proof. How, then, can that be done securely? More interestingly, how can it be done insecurely? This talk will dissect a number of security vulnerabilities found in real-world password reset mechanisms, and discuss how password reset mechanisms should be built.</blockquote>
 +
 
 +
'''Speaker:''' Dan Crowley
 +
 
 +
<blockquote>Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.</blockquote>
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, February 9, 2017 ===
 +
 
 +
'''When''':  Thursday, February 9th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where''': Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd). 
 +
 
 +
'''Sponsor''': Vectra Networks
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, January 31, 2017 ===
 +
 
 +
'''When:''' Tuesday, January 31st @ 11:45 AM - 1:00 PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Random Number Generation - Lava Lamps, Clouds and the IoT
 +
 
 +
<blockquote>Random numbers are the basis of security for all cryptography, yet they are often taken for granted. Learn why random numbers are so hard to generate and validate, compare different technologies in use today across virtualized environments, and discuss operational steps to take the risk out of random numbers and help secure cryptosystems even into the era of quantum computers.</blockquote>
 +
 
 +
'''Speaker:''' Richard Moulds
 +
 
 +
[https://vimeo.com/202234199 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, January 12, 2017 ===
 +
 
 +
'''When:'''  Thursday, January 12th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsors''': Bugcrowd and Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
----
 +
 
 +
==2016==
 +
----
 +
 
 +
=== OWASP Austin Chapter Meeting, September 27, 2016 ===
 +
 
 +
'''When:''' Tuesday, September 27th @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Moving to the cloud
 +
 
 +
<blockquote>Moving to the cloud is unavoidable -- but it severely disrupts security ownership and your existing security processes.</blockquote>
 +
<blockquote>David will discuss his experience moving Contrast to AWS, the steps being taken to ensure the stack stays secure, and the journey to become SOC2 Compliant.</blockquote>
 +
 
 +
'''Speaker:''' David Hafley
 +
 
 +
<blockquote> David Hafley has been building consumer and enterprise products for over ten years.  He’s currently head of engineering operations for Contrast Security, where he lives for push buttons deploys, building systems that help the engineering team become more productive, and uptime.  Prior to Contrast Security, David held positions at MyEdu (acquired by Blackboard) and AOL.  He has a degree in Computer Science from DePauw University in [tropical] Greencastle, IN.</blockquote>
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour, September 8, 2016 ===
 +
 
 +
'''When:'''  Thursday, September 8th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, August 30, 2016 ===
 +
 
 +
'''When:''' Tuesday, August 30th @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Malicious PowerShell detection
 +
 
 +
'''Speaker:''' Peter Ewane
 +
 
 +
<blockquote> Peter is a security researcher at AlienVault and will be discussing malicious PowerShell detection.</blockquote>
 +
 
 +
[https://vimeo.com/180781698 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Gemalto, August 11, 2016 ===
 +
 
 +
'''When:'''  Thursday, August 11th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd). 
 +
 
 +
'''Sponsor:''' Gemalto
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, July 26, 2016 ===
 +
 
 +
'''When:''' Tuesday, July 26th @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759
 +
 
 +
'''Title:''' If I Knew Then What I Know Now: Building an InfoSec Program from Scratch
 +
<blockquote>
 +
Congratulations! You’ve been working hard for years and your employer has finally seen your potential. You’ve now been promoted to being the only person responsible for starting and managing an Information Security Program for a $1B+/yr company. With nobody there to help you and a minuscule budget, where do you start? How do you determine where the issues lie and prioritize how to fix them? At what point do you grow your team and how do you justify it? This vendor-agnostic talk will cover what you need to know in order to build an efficient, cost-effective, and relevant security program for your company.
 +
</blockquote>
 +
'''Speaker:''' Josh Sokol
 +
<blockquote>
 +
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/176377672 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Technology Navigators, July 14, 2016 ===
 +
 
 +
'''When:'''  Thursday, July 14th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Technology Navigators
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, June 28, 2016 ===
 +
 
 +
'''When:''' Tuesday, June 28th @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759
 +
 
 +
'''Title:''' Game of Hacks: Play, Hack & Track
 +
 
 +
<blockquote>Playing around with some ideas we found ourselves creating a hacker magnet. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to:</blockquote>
 +
 
 +
<blockquote>
 +
* Play GoH against the audience in real time and get your claim for fame
 +
* Understand how vulnerabilities were planted within Game of Hacks
 +
* See real attack techniques (some caught us off guard) and how we handled them
 +
* Learn how to avoid vulnerabilities in your code and how to go about designing a secure application
 +
* Hear what to watch out for on the ultra-popular node.js framework.
 +
</blockquote>
 +
 
 +
'''Speaker:''' Igor Matlin
 +
<blockquote>
 +
Igor has over 19 years of technical experience in high-tech companies as a software engineer and technical lead. Prior to joining Checkmarx as our Senior Solutions Architect, Igor worked as a Technical Manager at Myriad, a leading mobile software company, and as a Software Engineer and Product Manager at Novarra, acquired by Nokia in 2010. Igor is an appreciated speaker at forums such as ISC2, BSides, and OWASP.
 +
 
 +
Igor studied at Belarusian State University of Informatics and Radioelectronics and received his B.Sc in Computer Science and Math from Christian Brothers University.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/172622250 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Ixia, June 9, 2016 ===
 +
 
 +
'''When:'''  Thursday, June 9th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd). 
 +
 
 +
'''Sponsor:''' Ixia
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, May 31, 2016 ===
 +
 
 +
'''When:''' Tuesday, May 31st @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759
 +
 
 +
'''Title:''' The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration
 +
 
 +
<blockquote>
 +
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
 +
 
 +
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
 +
</blockquote>
 +
 
 +
'''Speaker:''' Dan Cornell
 +
<blockquote>
 +
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/168872344 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Rapid7, May 12, 2016 ===
 +
 
 +
'''When:'''  Thursday, May 12th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, April 26, 2016 ===
 +
 
 +
'''When:''' Tuesday, April 26th @ 11:45 - 1PM
 +
 
 +
'''Where:''' Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 +
 
 +
'''Title:''' Data-Driven App Sec
 +
 
 +
<blockquote>
 +
New research into application security practices at over 100 companies will be presented, covering software security strategies and tactics as they are practiced in the wild, based on the new BSIMM6 dataset. Statistics will be balanced with war stories from the field to illustrate foundational principles of starting and sustaining programs, as well as “what not to do” gotchas that can kill an initiative in its tracks.
 +
</blockquote>
 +
 
 +
'''Speaker:''' Joel Scambray
 +
<blockquote>
 +
Joel Scambray is a Principal at Cigital, a leading software security consulting firm established in 1992. He has helped Fortune 500-class organizations address information security challenges for over twenty years as a consultant, author and speaker, corporate leader, and entrepreneur. He is widely recognized as co-author of the Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Foundstone, Amazon, Costco, Softcard, and Ernst & Young. In recognition of his work with Hacking Exposed, Joel received the ISSA President’s Award for Public Service in 2015.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/164300496 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Veracode, April 14, 2016 ===
 +
 
 +
'''When:'''  Thursday, April 14th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Veracode
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Core Security, March 30, 2016 ===
 +
 
 +
'''When:'''  Wednesday, March 30th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:'''  Core Security
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, March 29, 2016 ===
 +
 
 +
'''When:''' Tuesday, March 29th @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Lean Security
 +
 
 +
<blockquote>
 +
Moving fast is a business imperative that you can’t afford to be in opposition to. Lean, DevOps and Continuous Delivery philosophies hinge on the ability to move fast through collaboration, automation, and aligning with the flow of the organization. Security needs to be able to make the same transformation.
 +
 
 +
As a concrete example of applying these approaches to security, we will show how a platform automation approach to security increases transparency and visibility throughout the organization and pairs with the high-throughput philosophies of DevOps and Continuous Delivery, while working with the way the business functions and not against it.
 +
 
 +
From this session, you will:
 +
 
 +
* Understand the Lean, Agile, and DevOps techniques emerging in organizations today
 +
* Be armed with organizational strategies for bridging devops and security
 +
* Apply Lean thinking to security operations.
 +
</blockquote>
 +
 
 +
'''Speaker:''' Ernest Mueller
 +
<blockquote>
 +
Ernest Mueller is a 20-year IT veteran who has led a variety of teams designing, building and operating SaaS and Web products for companies large and small. Frequently, that has involved innovating Agile, DevOps, and cloud transformations to meet the needs of the modern marketplace. He writes about these topics at theagileadmin.com. Ernest is also active in advocating for the Austin technologist community, and organizes events like DevOpsDays Austin and user groups like CloudAustin. As Lean Systems Manager for AlienVault, he focuses on empowering the technical teams and creating a high velocity path to deliver value to customers. Ernest resides in Austin, TX with his daughter Aoife.
 +
</blockquote>
 +
 
 +
[https://vimeo.com/channels/owaspaustin Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, February 23, 2016 ===
 +
 
 +
'''When:''' Tuesday, February 23rd @ 11:45 - 1PM
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Rugged DevOps Using Gauntlt
 +
 
 +
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
 +
 
 +
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
 +
 
 +
Three Takeaways: 
 +
# You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
 +
# Armed with tools and ideas for monitoring your operational and runtime security.
 +
# You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
 +
 
 +
Bring a laptop (mac or linux) that you can install software on and a github account.
 +
 
 +
'''Speaker:''' James Wickett (see bio at about.me/wickett)
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Rapid7, February 18, 2016 ===
 +
 
 +
'''When:'''  Thursday, February 18th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Rapid7
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== OWASP Austin Chapter Meeting, January 26th ===
 +
 
 +
'''When:''' Tuesday, January 26th @ 11:45 - 1PM
 +
 
 +
'''Title:''' CryptoParty
 +
 
 +
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars.  We must be free to communicate and associate without fear.
 +
 
 +
To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions.  CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online.  Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.
 +
 
 +
On Tuesday, January 26 at 11:45 AM, the Austin Chapter of the OWASP Foundation invites you to join us for our second annual CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.  The event will be held in Building C, Room 1S13, on the National Instruments campus (11500 N Mopac Expwy, Austin, TX 78759).  Please RSVP at the link below and feel free to extend this invitation to others you feel may have a need for data privacy.
 +
 
 +
'''Speaker:''' Several -- Lead by Josh Sokol
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
 
 +
=== Austin Security Professionals Happy Hour sponsored by Bugcrowd, January 14th ===
 +
 
 +
'''When:'''  Thursday, January 14th, 5:00 pm - 7:00 pm
 +
 
 +
'''Where:''' Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
 +
 
 +
'''Sponsor:''' Bugcrowd 
 +
 
 +
An innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 19,000 security researchers to surface critical software vulnerabilities. Bugcrowd provides a range of vulnerability disclosure and bug bounty programs that allow organizations to commission a customized security testing program that fits their needs.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
 +
 
 +
==2015==
 +
----
 +
 
 +
=== OWASP Austin Chapter Meeting, September 29th ===
 +
 
 +
'''When:''' Tuesday, September 29th @ 11:45 - 1PM
 +
 
 +
'''Title:''' Log Everything, even if it is just on local disks
 +
 
 +
Logs are as important as SQLi, XSS or Secure Coding!  OWASP has a “Logging Cheat Sheet”, and there are the “Windows Logging Cheat Sheet”, “Windows PowerShell Logging Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” and several other I created, but we still lack an understanding of logging when it comes to Application Security and DevOps.
 +
 +
Enabling and configuration of logs must become as basic and a standard practice as doing WebApp security scans, secure code reviews or secure webapp design, which should include application log design and implementation.  You don’t need an expensive log management solution to do good application security or DevOps log configuration.  What we need is to include all our Cheat Sheets into DevOps builds so enabling and configuration is baked in and to include a log design review as a part of our application secure reviews.  So WHEN we need log data, it is there for us. 
 +
 
 +
'''Speaker:''' Michael Gough
 +
 
 +
Michael is the founder of "Malware Archaeology" and has 20 years experience in IT and Information Security and currently in the Healthcare sector.  In the past Michael has been a consultant for HP and other consultancies, an analyst for the Financial sector, Health Care and State of Texas.  Michael now focuses his talents as a Blue Team Defender, malwarian fighter and malware archeologist, protecting his employer from nefarious ne`er-do-wellers.
 +
 
 +
Michael also led BSides Texas with Michelle Klinger for 6 years and led the BSides Austin conference held in March.  Michael discovered the WinNTI malware 10 months before Kasperski released their report.  He also discovered and exploited a major Card Key system flaw back in 2010 which can be found on YouTube.
 +
 
 +
Michael is a creator of the Malware Management Framework, a process to help discover malware on Windows based systems.  Michael also developed the “Windows Logging Cheat Sheet” to provide a starting point on detailed logging for Windows hosts.
 +
 
 +
Michael's resources may be found on his website:
 +
MalwareArchaeology
 +
 
 +
[[https://vimeo.com/140831113 Vimeo]]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Veracode, September 10th ===
 +
 
 +
'''When:''' Thursday, September 10th, 5-7PM
 +
 
 +
'''Where:''' Sherlocks Street Pub and Grill, 9012 Research Blvd
 +
 
 +
'''Sponsor:''' Veracode
 +
 
 +
Veracode’s cloud-based service and programmatic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 25+ of the world’s top 100 brands.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin Chapter Meeting, August 25th ===
 +
 
 +
'''Title:''' Eat Your Own Dogfood
 +
 
 +
As security professionals, we have made it our jobs to tell other people how to be secure.  We preach security in everything from applications to systems to networks and more.  We get more and more frustrated with each and every issue that we find and sometimes even angry when others aren't fixing things fast enough.  But, with all of the berating that we do of others for their security downfalls, how many of us actually put in the time and effort to do things right ourselves?  And what happens when those people who we are trying to teach see us not practicing what we preach?  Security begins and ends with you.  It's time to start eating your own dogfood.
 +
 
 +
'''Speaker:''' Josh Sokol
 +
 
 +
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
 +
 
 +
[[https://vimeo.com/137286259 Vimeo]]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Dell SecureWorks, August 13th ===
 +
 
 +
'''Where:''' Sherlocks Street Pub and Grill, 9012 Research Blvd
 +
 
 +
'''Sponsor:''' Dell SecureWorks
 +
 
 +
'''Dell SecureWorks focuses exclusively on information security services to protect thousands of customers around the world.'''
 +
 
 +
As a security service provider, we strive to be a world leader in everything related to information security; from firewall management services, combating advanced persistent threats to ensuring your PCI readiness for compliance. Our Global Headquarters located in Atlanta, GA is where a large amount of monitoring and research is performed while working in tandem with our other US, Europe and Japan offices. Many industries and IT security companies need assistance in maintaining or even building a new infrastructure for their information security and we have the expert security analysts to assist you along the way through consulting, audits, assessments, and tests.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin Chapter Meeting, July 28th ===
 +
 
 +
'''Title:''' The EMV Card Standard - What is it and How Does it Work?
 +
 
 +
Europay MasterCard Visa (EMV) is a global standard by introducing a microprocessor chip into all debit and credit cards. This chip which will eventually replace the current magnetic strip on the back of credit cards as a means of mitigating credit card fraud.  All U.S. merchants will be required to support EMV by October, 2015.
 +
 
 +
This new standard has been in use in Europe and Asia for many years and has proven to be an improvement over the mag stripe.  However, there are new risks associated with the chip and the debate of the proper implementation of this new standard (e.g. the advantage over “chip-and-pin” vs. “chip-and-signature”) will continue for some time.
 +
 
 +
What is this new technology and how will it be used in transactions?  The physical and logical security characteristics of this new standard will be presented, new risks will be addressed and security recommendations will be given.
 +
 
 +
'''Speaker:''' Larry Moore
 +
 
 +
Larry Moore has over sixteen years of Information Security experience as part of his thirty year IT career. Larry has worded on diverse areas of Information Security including architecture, secure software development, penetration testing, server administration, project manager and executive manager.  Larry has served at the State of Texas in their critical infrastructure protection and in the technical and financial sector.
 +
 
 +
Larry graduated from the Florida Institute of Technology with a degree in Computer Science and began his work on various projects for NASA.  His post-NASA work included applications, device drivers and kernel extensions on various operation systems such as OS/2, Windows and Unix variants.  His work on the AIX security kernel included audit, single sign-on, PKI and a behavioral-based intrusion detection tool which was a precursor to his migration to the information security field.  Larry recently served as the Chief Solution Security Officer for Gemalto’s North American region where he ensured the proper delivery of security requirements for the company’s trusted platforms and mobile payment solutions for large and small customers.  Larry has also audited, designed or modified the security programs for three of the company’s large data centers across the globe to enable customer mobile payment processing.
 +
 
 +
Larry serves on the board at the Computer Science department at Parker University in Dallas and the Austin chapter of the International Systems and Security Association.  Larry is also Vice-President and IT Sector Chief for the Austin chapter of Infragard and has given numerous presentations and written numerous articles on security architecture, threat intelligence and software development.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Technology Navigators, July 9th ===
 +
 
 +
'''Where:''' Sherlocks Street Pub and Grill, 9012 Research Blvd
 +
 
 +
'''We’re Technology Navigators.'''
 +
 
 +
Technology Navigators is a technical staffing firm, specialized in recruiting skilled individuals for project-oriented consulting and contract positions. We’ve been firmly rooted in the Austin technology community since 1999, and have been providing companies that develop, build, and use technology with the people they need to grow their business for over 15 years.
 +
 
 +
'''We’re Organically Grown and Operated.'''
 +
 
 +
Our mission is to build an extraordinary future for both people and business. We use a mix of innovative processes and old-fashioned ideas about people to build lasting relationships with our clients and candidates. We bring a dynamic, hands-on approach to every opportunity.
 +
 
 +
'''We Make Staffing Easy.'''
 +
 
 +
We most frequently recruit for positions in software, infrastructure, data management, ERP, CRM, support, and information security. Examples of the job titles included in these areas are:
 +
*Software Developers
 +
*Software Architects
 +
*Web Developers
 +
*Mobile Developers
 +
*Software Project Managers
 +
*Software Business Systems Analysts
 +
*Software Quality Assurance Testers
 +
*Network Engineers
 +
*Network Systems Administrators
 +
*Data Warehouse Architects
 +
*Desktop Engineers
 +
*Database Developers
 +
*Database Administrators
 +
*ETL Developers
 +
*Business Intelligence and Reporting
 +
*ERP Developers
 +
*ERP Administrators
 +
*CRM Developers
 +
*CRM Administrators
 +
*RF Test Engineers
 +
*Systems Engineers
 +
*Hardware Test Engineers
 +
*Information Security Professionals
 +
- See more at: http://technologynavigators.com
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin Chapter Meeting, June 30th ===
 +
 
 +
'''When:''' Tuesday, June 30th @ 11:45 - 1PM
 +
 
 +
'''Title:''' Authz is the new Authn: Trust Elevation with UMA and OpenID Connect
 +
 
 +
Increased trust in an online identity = increased mitigation of the risk of fraud. As an enterprise interacts with a person via the Internet, it may be prudent, for certain transactions, to have more evidence of that person’s identity. Web Access Management systems include some proprietary features to force “stepped-up authentication.” But luckily, new OAuth2 profiles like UMA and OpenID Connect offer a standards based approach to achieve inter-domain trust elevation. This session will include a high level overview of the Enterprise UMA use case and some of the useful OpenID Connect features that can be leveraged to create centralized authentication policies.
 +
 
 +
'''Speaker:''' Mike Schwartz
 +
 
 +
Mike has been an entrepreneur and identity specialist for over 18 years. He is the technical and business visionary behind Gluu, whose open source OX projects enable domains to centralize authentication and authorization using open standards like SAML and OAuth2. Mike is a domain expert in application security, directory services, and strong authentication. He has been a guest speaker at RSA Europe, Gartner Catalyst, EIC and other identity conferences.
 +
 
 +
[[http://gluu.co/trust-el-prezi Prezi] ]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Vectra Networks, June 11th ===
 +
 
 +
'''Where:''' Sherlocks Street Pub and Grill, 9012 Research Blvd
 +
 
 +
Vectra Networks™ is the leader in real-time detection of in-progress cyber attacks. The company’s advanced threat-detection solution continuously monitors internal network traffic to pinpoint cyber attacks as they happen. It then automatically correlates threats against hosts that are under attack and provides unique context about what attackers are doing so organizations can quickly prevent or mitigate loss. Vectra prioritizes attacks that pose the greatest business risk, enabling organizations to make rapid decisions on where to focus time and resources. In 2015, Gartner named Vectra a Cool Vendor in Security Intelligence for addressing the challenges of post-breach threat detection. Visit us at www.vectranetworks.com.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin Chapter Meeting, May 26th ===
 +
 
 +
'''When:''' Tuesday, May 26th @ 11:45 - 1PM
 +
 
 +
'''Title:''' Case Study: Key Takeaways from Indeed’s Crowdsourced Security Testing Program
 +
 
 +
State of the art security programs are turning to bug bounties to leverage a vast array of skill-sets and knowledge. Learn why these programs work, potential pitfalls, when to deploy them and when not to deploy them.The speaker will discuss real world examples from Indeeds Bug Bounty program and focus on cases where business logic flaws and high priority vulnerabilities were found ... even with existing security testing processes in place.
 +
 
 +
Attendees will learn:
 +
* Testing methods deployed by our crowd
 +
* Examples of the bugs found
 +
* Workflow and the crowd- Tips and Tricks
 +
* Trends on which vulnerability types are found most often and why
 +
* What is the ROI on the pay for performance model
 +
* Where does the SDLC merge into crowdsourced testing
 +
 
 +
'''Speaker:''' Charles Valentine, VP of Technology Services at Indeed.com
 +
 
 +
Charles leads global infrastructure operations and engineering, security, and IT strategy for the #1 job site worldwide. The Indeed.com infrastructure serves over 180 million monthly job seekers, from multiple data centers located around the globe, maintaining better than 99.999% availability and sub-second response times. Indeed is available in more than 50 countries and 28 languages, covering 94% of global GDP.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by iSEC Partners, May 14th ===
 +
 
 +
'''Where:''' Sherlocks Street Pub and Grill, 9012 Research Blvd
 +
 
 +
iSEC Partners is an expert full-service information security firm.
 +
 
 +
Our security assessments leverage our extensive knowledge of current security vulnerabilities, penetration techniques and software development best practices to enable customers to secure their applications against ever-present threats on the Internet. Primary emphasis is placed upon helping software developers build safe, reliable code.
 +
 
 +
iSEC Partners also provide extensive research in many information security areas such as; application attack & defense, web services, operating system security, privacy, storage network security and malicious application analysis.
 +
 
 +
iSEC Partners has been part of information assurance company, NCC Group plc, since October 2010.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin March Chapter Meeting - April 28th ===
 +
 
 +
'''Title:''' Using OpenSAMM for Benchmarking and Software Security Improvement
 +
 
 +
We all know that behind every breach story in the press is an organization that probably should have done more to build secure software.  Yet, organizations struggle mightily to focus resources on building software securely from the outset and, as a result, software security remains an after the fact “nice to do” and not a “have to do” activity in many organizations.  How can organizations determine the right sets of activities or appropriate resource allocation levels that it should undertake to adequately address software risk? Organizations can make these determinations by benchmarking via OWASP’s Open Software Assurance Maturity Model (OpenSAMM) framework.
 +
 
 +
A coalition of leading application security industry vendors recently contributed benchmarking data in order to enhance OpenSAMM and its assessment framework. These efforts will enable organizations to step up their software security game and identify hurdles by using OpenSAMM as a powerful benchmarking tool.  John will provide details on an ongoing industry effort to improve OpenSAMM by providing more comparative data to encourage broader use throughout industry.
 +
 
 +
'''Speaker:''' John Dickson
 +
 
 +
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.
 +
 
 +
A former U.S. Air Force officer, Dickson served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team (AFCERT). Since his transition to the commercial arena, he has played significant client-facing roles with companies such as Trident Data Systems, KPMG and SecureLogix Corporation.
 +
 
 +
Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at other international security conferences. He is a sought-after security expert and regularly contributes to Dark Reading and other security publications. He also regularly contributes to the Denim Group blog where he writes about key security industry issues such as software security and cyber security policy. A Distinguished Fellow of the International Systems Security Association, he has been a Certified Information Systems Security Professional (CISSP) since 1998.
 +
 
 +
Dickson is currently the Chairman of the San Antonio Chamber of Commerce Cyber Security Committee where economic development, workforce and advocacy issues involving San Antonio’s growing cyber security industry are coordinated. Dickson is also a member of the prestigious Texas Business Leadership Council, the only statewide CEO-based public policy organization that serves as a united voice for the state’s senior executives to participate in the legislative and regulatory process. Most recently, he was the past Chairman of the Texas Lyceum, a leadership group that prepares leaders for the State of Texas and served as Chairman of the North San Antonio Chamber of Commerce. He also served as the local President of the Information Systems Security Association and was an honorary commander of the 67th Cyber Space Wing which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation.
 +
 
 +
He holds a Bachelor of Science degree from Texas A&M University, a Master of Science degree from Trinity University and a Masters in Business Administration from the University of Texas in Austin. Dickson resides in San Antonio, Texas where he is married with two children.
 +
 
 +
Webcast: [https://vimeo.com/126319348 Vimeo]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by iSEC Partners, April 9th ===
 +
'''Sponsor:''' iSEC Partners
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin Chapter Meeting - March 31st ===
 +
 
 +
'''Title:''' Top 10 Web Hacking Techniques of 2014
 +
 
 +
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges.
 +
 
 +
'''Speaker:''' Matt Johansen
 +
 
 +
Matt Johansen is a Senior Manager for the Threat Research Center at WhiteHat Security. He manages a team of Application Security Specialists,
 +
Engineers and Supervisors, to prevent website security attacks and protect companies' and their customers' data. He was previously a security
 +
consultant, where he was responsible for performing network and web application penetration tests. Johansen is also an instructor of Web
 +
Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also
 +
been utilized by the SANS Institute as an industry expert for certification review.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Alert Logic, March 11th ===
 +
'''Sponsor:''' Alert Logic
 +
 
 +
Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides security and compliance for cloud, hybrid, and on-premises data center infrastructure. Fully managed by a team of experts, Alert Logic’s Cloud Defender suite delivers the deep security insight and continuous protection needed to protect a company’s most sensitive data. Alert Logic provides network, system, and application protection for over 3,000 organizations worldwide. Built for cloud scale, the Alert Logic ActiveAnalytics platform manages over 5 petabytes of data, analyzes over 450 million events and identifies over 60,000 security incidents monthly that are managed by our security operations center.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin February Chapter Meeting - February 24th ===
 +
Title: Static Analysis: Beyond the Basics
 +
 
 +
Static vulnerability analysis is the practice of testing non-running software for application vulnerabilities. It is often referred to as SAST, white box testing, or automated code review. In this session we will cover some of the hows and whys of static analysis and deep dive some of the common issues users of SAST technologies often encounter. Topics will include data flow analysis and taint propagation, scan noise, and partial code scanning, specifically around OWASP Top 10 issues. The material should provide value to anyone with an interest in application security, not just static analysis practitioners.
 +
 
 +
Speaker: Andy Earle
 +
 
 +
Andy Earle is a Security Solutions Architect for HP Enterprise Security Products (ESP). Andy has spent 5 years designing and delivering application security programs, technology, and services for US Federal and commercial customers, specifically around HP's Fortify appsec products. Andy was previously the product manager for a high assurance multi-level secure operating system at BAE Systems, and Presales Engineer for various web development and mobile security firms. Andy has spoken extensively on application security topics, most recently at OWASP's SnowFROC 2013, the RMISC conference, SANS AppSec 2013, and HP Protect. Early experience includes software engineering, mobile application development, and lifeguarding at his neighborhood pool. Andy is a CISSP and CSSLP, and has a B.S. in Systems Engineering from the University of Virginia.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Qualys, February 19th ===
 +
'''Sponsor:''' Qualys
 +
 
 +
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud security and compliance solutions with over 6,700 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The Qualys Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
 +
 
 +
Qualys WAS (Web Application Scanning) Winner of Information Security™ magazine and SearchSecurity.com Readers' Choice Award in the “Best of Application Security 2014” category. Qualys WAS is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure thousands of web sites.
 +
 
 +
Qualys WAF (Web Application Firewall) Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin January Chapter Meeting - January 27th ===
 +
'''Title:'''  CryptoParty!!!!!!
 +
 
 +
'''Abstract:'''  In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.  We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity."  The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
 +
 
 +
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars.  We must be free to to communicate and associate without fear.  To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions.  CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online.  Topics include technologies like TOR, full-disk encryption, GPG, and many more.  CryptoParties are free to attend, public, and not commercially aligned.
 +
 
 +
At our January 27, 2015 OWASP Austin meeting, we will host our first ever CryptoParty with the goal of inviting others to join us in learning about the tools and technologies that enable an individual's right to privacy.  We encourage you all to invite your family, friends, and peers to attend this event.  Presentations will be laid out so that novice and experienced alike can take action based on the data presented.  All tools presented will be free and open source.  Our CryptoParty will end with the first-ever OWASP Austin Key Signing Party.  Don't miss this meeting and be sure to invite your friends!
 +
 
 +
'''Speaker(s):''' Several amazing security professionals who like Crypto and want to Party with OWASP
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by FishNet Security, January 8th ===
 +
'''Sponsor:''' FishNet Security
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
 +
==2014==
 +
----
 +
 
 +
=== LASCON 2014 - October 23rd and 24th ===
 +
 
 +
The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX.  It started in 2010 when James Wickett (@wickett) and Josh Sokol (@joshsokol) along with the OWASP Austin crew put together an amazing 1-day conference with a speaker lineup of some of the who’s-who of the infosec and appsec world. In 2011, the conference grew to over 250 attendees and in 2012 the OWASP Austin crew hosted AppSec USA LASCON Edition–which has been heralded as the best security conferences ever by long-time infosec luminary Gene Kim.
 +
 
 +
LASCON 2014, run by David Hughes(@Dav1dHugh3s) and the OWASP Austin crew, will be run in the same tradition as previous LASCON conferences featuring the best speakers, a close-knit community atmosphere and even our signature happy hour replete with a mechanical bull. Year over year, LASCON has been a gathering of thought leaders, web developers, security engineers, mobile developers and information security professionals. LASCON 2014 will have 2 days of pre-conference training and 2 full days of conference across 4 rooms.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin September Chapter Meeting - September 30th ===
 +
'''When:''' September 30th, 11:30AM to 1PM
 +
 
 +
'''Title:'''  Account Entrapment
 +
 
 +
'''Abstract:'''  This talk covers two ways to force a victim into an attacker's account (Account Entrapment): Login Cross-Site Request Forgery and Cookie-based or Session Entrapment. This is a commonly overlooked vulnerability despite high-profile exploits including Youtube.com. Because it is often disregarded, this talk begins with an in-depth look at attack scenarios and what an attacker can actually gain. It then describes how the two attacks work and how to defend against them. Finally, though these attacks are prevalent across the internet, it will show why state agencies (with domains ending in .state.**.us) and large organizations with many subdomains face special problems when building defenses against these attacks.
 +
 
 +
'''Speaker:''' Ben Broussard
 +
 
 +
'''About:''' Ben Broussard has been involved in the Austin Appsec scene since 2008, helping to plan the first LASCON and running the OWASP study group for a time. After doing subcontracting work for a number of security shops and gaining a breadth of experience on both the threatscape and the security organizations that attempt to address it, he took a position with San Antonio based Denim Group (now with an Austin office). When not researching appsec, Ben is a hobbyist in Human Physiology, Acrobatics, Human Evolution, Brazilian Jiu Jitsu, and toddler wrangling. He also runs Hot Lava Obstacle Course located on Burnet road
 +
 
 +
(No Video)  Link to slides at [http://www.slideshare.net/benlbroussard/account-entrapment slideshare]
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Set Solutions Inc., September 11th ===
 +
'''When:''' Thursday, September 11th, 5-7PM
 +
 
 +
'''Sponsor:''' Set Solutions Inc.
 +
 
 +
For over 20 years, Set Solutions, Inc.—a full service provider of network security, secure remote access and bandwidth management solutions—has been in the business of increasing business profitability and growth.
 +
 
 +
If you have network security challenges or just want to improve the health of your network, Set Solutions can help.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin August Chapter Meeting - August 26th ===
 +
'''When:''' August 26th, 11:30AM to 1PM
 +
 
 +
'''Title:''' Identifying Web Attacks via Data Analysis
 +
 
 +
'''Abstract:''' This presentation will look at detection of SQL injection using Machine Learning as well as profiling web traffic to find misbehaving hosts. The goal is to get beyond "Top N" types of analysis and begin using multiple features to guide us towards interesting traffic. With these techniques multiple log types can be used, everything from web server logs to proxy logs.
 +
 
 +
'''Speaker:''' Mike Sconzo
 +
 
 +
Mike enjoys attempting to solve/solving interesting security problems with data analysis. He's spent most of his career on the defensive side, and is constantly looking for new ways to detect suspicious and malicious behavior. His background is heavy in network analysis and most of the explored techniques revolve around use cases involved with network forensics.
 +
 
 +
'''Video Archive:''' https://vimeo.com/channels/owaspaustin/104466721
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Trustwave, August 14th ===
 +
'''When:''' Thursday, August 14th, 5-7PM
 +
 
 +
'''Sponsor:''' Trustwave
 +
 
 +
The Trustwave suite of application security solutions, delivered by an expert team of application specialists, ensures that your application is tested and reviewed thoroughly. The application security team uses manual processes to test and review applications according to your needs. The result is specific guidance that can significantly improve the security of your applications and protect your business.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin July Chapter Meeting - July 29th ===
 +
'''When:''' July 29th, 11:30AM to 1PM
 +
 
 +
'''Title:''' Railsgoat
 +
 
 +
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as solutions for remediation. This talk will discuss Railsgoat, common issues, defensive measures, and engage the audience for feedback/improvements.
 +
 
 +
'''Speakers:''' Ken Johnson
 +
 
 +
Ken Johnson is the CTO of nVisium and leads the company's product development efforts. Ken is obsessed with code security and code in general but holds a special place in his heart for Ruby. Ken is passionate about the open source community, and genuinely loves to create. http://railsgoat.cktricky.com
 +
 
 +
'''Video Archive:''' https://vimeo.com/channels/owaspaustin/102133267
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by iSEC Partners, July 10th ===
 +
'''When:''' Thursday, July 10th, 5-7PM
 +
 
 +
'''Sponsor:''' iSEC Partners
 +
 
 +
iSEC Partners is an information security firm specializing in the assessment of application and network security. Founded in 2004, with offices in San Francisco, New York, Seattle, and  Austin, iSEC Partners provides tailored security services to many Fortune 500 clients.  iSEC consultants are published authors in the information security field and regular speakers at events including the RSA Conference, Black Hat, FS-ISAC, CanSecWest, SOURCE, InfoSecurity Europe, and the FIRST annual conference. Details of presentations delivered by iSEC Partners in recent years are available from our website at https://www.isecpartners.com/research/white-papers.aspx.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin March Chapter Meeting - June 24th ===
 +
'''When:''' June 24th, 11:30AM to 1PM
 +
 
 +
'''Title:''' Integrating process and architecture to yield robust systems
 +
 
 +
'''Abstract:''' When producing software products that meet the objectives of both the business unit and the security shop, the developers best friend is process and a secure architecture.  Robust systems require a holistic view of security where attribution, reliability and confidentiality do not put a strain on the dev shop, but provide an environment that optimizes the use of infrastructure and standards to yield secure and robust systems. How do we do that and meet the budget and time constraints that we all face?
 +
 
 +
'''Speaker:''' Vern Williams
 +
 
 +
Vern Williams has over 30 years in Information Security starting with his responsibilities in the US Navy Submarine Force where he obtained a Masters Degree in Information Systems. Since retiring from the Navy, he has worked for several companies and has obtained certifications as a Certified Information Systems Security Professional (CISSP), a Certified Business Continuity Professional (CBCP), a Certified Secure Software Lifecycle Engineering Professional (ISSEP).  He has been one of few instructors for the CSSLP preparation seminar by ISC2.  Additionally, over the last few years, Mr. Williams has distinguished himself as an ISSA Distinguished Fellow and Senior Member of the IEEE, Fellow and served as Director of ISSA International, President of the Capitol of Texas ISSA Chapter, Chair of the Austin ASIS Chapter, President of the local USAFA Parents Association and the Disaster Relief Coordinator for the Austin Disaster Relief Network.  He has been instrumental in establishing the Certified Information Systems Security Professional (CISSP) course at Austin Community College and is a key contributor to the Texas Regional Infrastructure Security Conference (TRISC).
 +
 
 +
'''Video Archive:''' Unfortunately, due to technical difficulties, a recording was not made.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Lumenate, June 12th ===
 +
'''When:''' Thursday, June 12th, 5-7PM
 +
 
 +
'''Sponsor:''' [http://www.lumenate.com/ Lumenate]
 +
 
 +
Lumenate is a technical consulting firm that helps clients solve their most challenging business problems. We combine the brightest, experienced talent with proven and longstanding manufacturing partnerships to provide expert solutions across the following practice disciplines:
 +
 +
·        Storage | Virtualization
 +
·        Security | Compliance
 +
·        Networking | Collaboration
 +
·        Managed Services
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin March Chapter Meeting - May 27th ===
 +
'''When:''' May 27th, 11:30AM to 1PM
 +
 
 +
'''Title:''' How to Use Crowd-Sourced Threat Intelligence
 +
 
 +
'''Abstract:''' This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
 +
 
 +
'''Speaker:''' Jaime Blasco
 +
 
 +
Jaime Blasco is a Security Researcher with broad experience in network security and malware analysis. At AlienVault, Jaime manages the Lab and runs the Vulnerability Research Team in charge of researching and integrating threat intelligence into detection mechanisms.
 +
 
 +
'''Video Archive:''' http://vimeo.com/channels/owaspaustin/96621807
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by The Broadleaf Group, May 8th ===
 +
'''When:''' Thursday, May 8th, 5-7PM
 +
 
 +
'''Sponsor:''' [http://http://www.broadleafgroup.com/ The Broadleaf Group]
 +
 
 +
Founded in 2005, The Broadleaf Group is a leading provider of IT solutions with specific emphasis on providing Systems, Security, Unified Communications, Managed IT, Banking and CIO level consulting for SMB to enterprise level customers throughout the US. The company’s extensive experience with IT performance, optimization processes and business enablement ensures customers are provided with the most comprehensive and competitive solutions for their environments. For more information, please visit www.broadleafgroup.com.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin March Chapter Meeting - April 29th ===
 +
 
 +
'''Title:''' Covert Hacking and Application Testing with Raspberry Pi
 +
 
 +
'''Abstract:''' The $35 Raspberry Pi is a wonder device on the cheap!  But the security impact of this cheap and powerful equipment with its tiny footprint is equally interesting.  In this session you will learn how the Pi can be used as a covert, field-friendly hacking platform for less than $100 total.  The talk will address both attack and defense scenarios against the device.  We will also discuss some of the applications for Pi around application security and penetration testing.
 +
 
 +
'''Speaker:''' Branden Williams is well known in the industry as a practitioner, consultant, and thought leader. He spent a number of years helping companies solve major security and compliance problems, including building PCI DSS compliance programs for some of the largest retailers around the globe. He recently sat on the PCI Board of Advisors and published the third edition of his book, PCI Compliance (Syngress, 2012) in August. Branden routinely speaks with organizations big and small with various levels of regulation to help them reduce their overall risk footprint and build safer and more efficient IT functions.
 +
 
 +
'''Video Archive:''' https://vimeo.com/93323292
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Digital Defense, April 10th ===
 +
'''When:''' Thursday, April 10th, 5-7PM
 +
 
 +
'''Sponsor:''' [http://http://www.ddifrontline.com/ Digital Defense]
 +
 
 +
Founded in 1999, Digital Defense, Inc. (DDI) is a premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 countries. DDI’s dedicated team of experts helps organizations establish a culture of security through regular information security assessments, awareness education and decisive security intelligence. This proven method bolsters the capability to reduce risk and keep assets and reputations secure. The combination of DDI’s certified security analysts, patent-pending technology and proprietary cloud-based vulnerability management system, Frontline™ Solutions Platform, delivers one of the most powerful assessment results and remediation management solutions available.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin March Chapter Meeting - March 25th ===
 +
 
 +
'''Title:''' Hacking Exposed: Mobile Edition
 +
 
 +
'''Abstract:''' Mobile is living up to the hype as the next great technology shift, rivaling the Internet in its game-changing impact. Of course, with great change comes potential risk - is there a magic bullet to secure the adoption of mobile everywhere? Cigital presents the latest mobile app security trends based on our recent book, Hacking Exposed: Mobile.
 +
 
 +
'''Speaker:''' Joel Scambray, CISSP, is a Managing Principal at Cigital, a leading software security consulting firm established in 1992. He has assisted companies ranging from newly minted startups to members of the Fortune 500 address information security challenges and opportunities for nearly twenty years, in diverse roles including consultant, author and speaker, corporate leader, and entrepreneur. He is widely recognized as co-author of the best-selling Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Amazon, Costco, Foundstone/McAfee, and Ernst & Young
 +
 
 +
'''Video Archive:''' https://vimeo.com/90822991
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by Sourcefire/Cisco - March 19th ===
 +
'''When:''' Wednesday, March 19th 5pm-8pm
 +
 
 +
'''Where:''' Wingate by Wyndham
 +
1209 N. Interstate Highway 35
 +
Round Rock, TX 78664
 +
 
 +
'''Sponsor: Sourcefire/Cisco'''
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin February Chapter Meeting - February 25th ===
 +
 
 +
'''Title:''' Magical Code Injection Rainbow
 +
 
 +
'''Abstract:''' There are many intentionally vulnerable web applications available for people to learn how to exploit various types of flaws. Unfortunately, many of them have only the most basic and easily exploited examples of flaws. In order to work with a more complex version of a flaw, it's usually necessary to write your own vulnerable application or modify an existing one.
 +
There is another option! The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerable applications. This presentation will demonstrate the use of the existing MCIR applications such as SQLol (for SQL injection) and XMLmao (for XML and XPath injection), teach advanced exploitation techniques in SQL injection; XPath injection; cross-site scripting; and shell command injection, discuss the exploitation of insecure cryptosystems and discuss how to use the MCIR framework to build your own configurable vulnerable application.
 +
 
 +
'''Speaker:'''  Daniel Crowley(aka "unicornFurnace") is a Senior Security Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie. Daniel also holds the title of Baron in the micronation of Sealand.
 +
 
 +
'''Video Archive:''' https://vimeo.com/90822990
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by SafeNet - February 20th ===
 +
'''When:''' Thursday, February 20th, 5pm-7pm
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill, 183 & Burnet
 +
 
 +
'''Sponsor: SafeNet''' 
 +
 
 +
Founded in 1983, '''SafeNet, Inc.''' is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe.  SafeNet’s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud.  More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== OWASP Austin January Chapter Meeting - January 28th ===
 +
'''Chapter meeting canceled due to icy conditions.'''
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
=== Austin Security Professionals Happy Hour sponsored by F5 - January 9th ===
 +
'''When:''' Thursday, January 9th, 5pm-7pm
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill, 183 & Burnet
 +
 
 +
'''Sponsor: F5''' 
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
 +
==2013==
 +
----
 +
 
 +
=== OWASP Austin Chapter - December 2013 ===
 +
No Meeting, Happy Holidays!
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour - December 2013 ===
 +
No Happy Hour, Happy Holidays!
 +
 
 +
 
 +
=== OWASP Austin Chapter - November 2013 ===
 +
No Meeting
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour - November 2013 ===
 +
No Happy Hour, Recovery from LASCON
 +
 
 +
 
 +
=== LASCON 2013, October 24th & 25th ===
 +
Did you miss it?
 +
http://www.lascon.org
 +
 
 +
 
 +
=== OWASP Austin September Chapter Meeting- September 24th ===
 +
 
 +
'''Title:''' Bridging the gap between development cloud networks and our corporate identity management strategy.  Oh and adding visibility/credibility to our IT shop.
 +
 
 +
'''Speakers:''' Jay Paz (Staff Security Engineer) and Justine Reneau (Senior Systems Administrator) from Bazaarvoice
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''When:''' Tuesday, September 24th from 11:30am to 1:00pm
 +
 
 +
'''RSVP:'''http://owaspaustinsept.eventbrite.com/?s=17712853
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour, Sponsored by Sourcefire ===
 +
 
 +
'''When:''' Thursday, September 12th, 5pm-7pm
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill, 183 & Burnet
 +
 
 +
'''Sponsor: Sourcefire''' 
 +
 
 +
'''RSVP:'''http://sec-happyhr.eventbrite.com/?s=16936345
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:''' Tuesday, August 27th, from 11:30am-1:00pm
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Static Code Analysis: Is it safe to go back in the water?
 +
 
 +
'''Speakers:''' Art Dahnert and Joel Scambray 
 +
 
 +
'''RSVP:'''  http://owaspaustinaug.eventbrite.com/?s=16906987
 +
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Thursday, August 15th, from 5:00pm - 7:00pm
 +
 
 +
'''Where:''' Sherlock's Baker Street Pub and Grill, 183 and Burnet.
 +
 
 +
'''Our Sponsor:''' Critical Start, Mobile Iron, and OpenDNS!
 +
 +
'''RSVP:'''  http://augustsec.eventbrite.com/?s=16703579
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:''' Tuesday, July 30th, from 11:30am-1:30pm
 +
 
 +
'''Where:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''Title:''' Testing at Cloud Speed:  Security Gone Agile
 +
 
 +
'''Speaker:'''Matt Tesauro
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Thursday, July 11th, from 5:00pm - 7:00pm
 +
 
 +
'''Where:''' Sherlock's Baker Street Pub and Grill, 183 and Burnet.
 +
 
 +
'''What:''' The Austin Security Professionals Happy Hour is a monthly event coordinated between the Austin ISSA and OWASP Chapters to provide security professionals an opportunity to network and have a good time!
 +
 
 +
'''Our Sponsor:''' Security Innovation
 +
 
 +
'''RSVP:'''  http://julysecurity.eventbrite.com/?s=15640627
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Thursday, June 13th, from 5-7 pm
 +
 
 +
'''What:''' Austin Security Professionals Happy Hour Sponsored by 21CT
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill.
 +
 
 +
'''RSVP:'''  http://junesecurity.eventbrite.com/?s=14912917
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
'''When:'''Thursday, May 28th, from 11:30a - 1:00pm
 +
 
 +
'''What:'''OWASP Austin Chapter Meeting
 +
 
 +
'''Who:'''Dustin Kirkland, Gazzang.com
 +
 
 +
'''RSVP:'''https://www3.gotomeeting.com/register/813351094
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Thursday, May 9th, from 5-7 pm
 +
 
 +
'''What:''' Austin Security Professionals Happy Hour Sponsored by Trustwave Spiderlabs
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill.
 +
 
 +
'''RSVP:'''  http://aprilsecurity.eventbrite.com/?s=13502311
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:'''Tuesday, April 30th, from 11:30am - 1:00pm
 +
 
 +
'''What:'''OWASP Austin Chapter Meeting
 +
 
 +
'''Who:'''Neil Matatall, Twitter
 +
 
 +
'''RSVP:'''http://owaspaustinmarch.eventbrite.com/?s=13784243
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Tuesday, April 11th, from 5-7 pm
 +
 
 +
'''What:''' Austin Security Professionals Happy Hour Sponsored by Trustwave Spiderlabs
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill.
 +
 
 +
'''RSVP:'''  http://aprilsecurity.eventbrite.com/?s=13502311
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:'''March 26th from 11:30am - 1:00pm
 +
 
 +
'''What:'''OWASP Austin Chapter Meeting
 +
 
 +
'''Topic:'''Why UPnP is Awesome and Terrifying
 +
 
 +
'''Who:'''Dan Crowley
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/5856381595/eorgf
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:''' Tuesday, February 19th, from 5-7 pm
 +
 
 +
'''What:''' Austin Security Professionals Happy Hour Sponsored by Rapid 7
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill.
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/5855308385
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:'''February 26th from 11:30a - 1:00p
 +
 
 +
'''What:'''OWASP Austin Chapter Meeting
 +
 
 +
'''Topic:''' big data real-time security analytics
 +
 
 +
'''Who:''' Lars Ewe
 +
 
 +
'''RSVP:'''http://owasp-feb.eventbrite.com/
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
 
 +
'''When:'''Thursday, February 21st, from 5-7pm
 +
 
 +
'''What:'''Austin Security Professionals Happy Hour Sponsored by SOS Security and Palo Alto Networks
 +
 
 +
'''Where:''' Sherlocks Baker Street Pub and Grill.
 +
 
 +
'''RSVP:'''http://infosecfeb.eventbrite.com/
 +
 
 +
 
 +
=== August OWASP Austin Chapter Meeting ===
 +
 
 +
'''When:''' January 29th from 11:30a - 1:00p
 +
 
 +
'''What:''' OWASP Austin Chapter Meeting
 +
 
 +
'''Topic:''' Data events, or why security is cloudier than you think.
 +
 
 +
'''Who:''' Wendy Nather
 +
 
 +
'''Cost:''' Free, of course
 +
 
 +
'''Food:''' Oh yeah, Taco Deli time!
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''RSVP:''' http://owaspjanuary.eventbrite.com/
 +
 
 +
 
 +
=== Austin Security Professionals Happy Hour ===
 +
'''When''' January 17th, 5:00pm - 7:00pm
 +
 
 +
'''What''' Austin Security Professionals Happy Hour, Sponsored by Trusteer
 +
 
 +
'''Where''' Sherlocks
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
 +
==2012==
 +
----
 +
 
 +
'''When:''' September 25th, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Vulnerability Spidey Sense (Sponsored by SolarWinds)
 +
 
 +
'''Who:''' Daniel Crowley and Chris Vinecombe
 +
 
 +
'''Synopsis:'''This talk will cover scenarios which raise red flags for us, why, and how to develop your own sense of intuition.
 +
 
 +
'''Cost: Free'''
 +
 
 +
''':RSVP: http://www.eventbrite.com/event/4319523812'''
 +
 
 +
----
 +
'''When:''' September 13th, 5:00pm-7:00pm
 +
 
 +
'''What: ''' Austin Security Professionals Happy Hour, Sponsored by Mandiant
 +
 
 +
'''Where: ''' Sherlocks
 +
----
 +
 
 +
'''When:''' August 28th, from 11:30a-1:00pm
 +
 
 +
'''Topic:''' OAUTH 2.0 Security
 +
 
 +
'''Who:''' Tom Brown develops user-centric identity software with Ruby, contributes to the opentransact protocol and participates at the Internet Identity Workshop.  Tom has contributed code for federated and delegated identity to several open source projects as herestomwiththeweather on github.  Prior, Tom developed network and  security code for companies including VXtreme, Microsoft, Yodlee, WholeSecurity and BiometricAccess.
 +
 
 +
'''Cost:''' Free, of course
 +
 
 +
'''Food:''' Oh yeah, Taco Deli time!
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/4064986484
 +
 
 +
 
 +
----
 +
 
 +
 
 +
'''When:''' August 9th, 5:00pm-7:00pm
 +
 
 +
'''What: ''' Austin Security Professionals Happy Hour, Sponsored by Slait Consulting.
 +
 
 +
'''Where: ''' Sherlocks
 +
 
 +
----
 +
 
 +
'''When:''' July 31st, 11:30am - 1:00pm
 +
 
 +
'''Topic:''' Lighting Talks
 +
 
 +
'''Who:''' Doug Landoll,Matt Malone, Shared Secrets-David Hughes,The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems - Josh Sokol (@joshsokol),WAF evasion with SSL - David Lister,Phil Beyer (@pjbeyer),#securityisms - The Real APT! - Brian Engle (@brainaengle),Re-integration: Don't fear closed systems - Michael Cote (@cote),Selling Security - Bill Kasper (aka The Hacker Vaccine) (@hackervaccine),Be mean to your code! - James Wickett (@wickett),Implementing Social Sign On(SSO+) in an Large Enterprise Single Sign On(SSO) Ecosystem - Jay Hook
 +
 
 +
'''Synopsis:''' A collection of 5 minute talks by various OWASP members. 20 slides, 15 seconds each.
 +
 
 +
'''Cost:''' Free, of course
 +
 
 +
'''Food:''' Oh yeah, Taco Deli time!
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/3873941062
 +
 
 +
----
 +
'''When:''' July 12th, 5:00pm-7:00pm
 +
 
 +
'''What: ''' Austin Security Professionals Happy Hour, Sponsored by Security Innovation.
 +
 
 +
'''Where: ''' Sherlocks
 +
----
 +
 
 +
'''When:''' June 26th, from 11:30a-1:00pm
 +
 
 +
'''Topic:''' Measuring the Root Shell Index
 +
 
 +
'''Who:'''HD Moore
 +
 
 +
'''Synopis:''' Determining the realistic scope of a particular advisory or vulnerability using large scale reconnaissance with analytics.
 +
 
 +
'''Cost:''' Free, of course
 +
 
 +
'''Food:''' Oh yeah, Taco Deli time!
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building C
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/3697966718
 +
 
 +
----
 +
 
 +
'''When:''' June 14th, 5:00pm-7:00pm
 +
 
 +
'''What: ''' Austin Security Professionals Happy Hour, Sponsored by WhiteHat Security.
 +
 
 +
'''Where: ''' Sherlocks
 +
 
 +
----
 +
 
 +
'''When:''' May 29th, 1:00pm-5:00pm
 +
 
 +
'''Topic:'''Secure Coding BootCamp
 +
 
 +
'''Who:''' Jim Manico
 +
 
 +
'''Synopsis:'''This bootcamp provides essential web application security training for web application software developers and architects. The class is a combination of lecture and code review. Participants will not only learn the most common threats against web applications, but more importantly they will learn how to also fix the problems via control-based defensive code samples and review. Topics such as Authentication, Access Control, Crypto, Cross Site Request Forgery, Cross Site Scripting, Injection Defense, Clickjacking Defense, Session Management and other topics will be addressed from a defensive point-of-view.
 +
 
 +
'''Cost:''' Free
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building
 +
 
 +
'''RSVP:'''http://www.eventbrite.com/event/3418744557
 +
----
 +
'''When:''' May 29th, 11:30am-1:00pm
 +
 
 +
'''Topic:''' Closing the window of opportunity"
 +
 
 +
'''Who:''' Jim Manico and Siri De Licori of WhiteHat Security
 +
 
 +
'''Synopsis:'''Closing the window of opportunity” and will be discussing the state of web application security based on recent statistics drawn from WhiteHat’s database of thousands of sites under service and the characteristics of a program that can help organizations develop a strong web security posture and reduce or eliminate the opportunities attackers have to compromise their applications.
 +
 
 +
 
 +
'''Cost:''' Free, of course
 +
 
 +
'''Food:''' Oh yeah, Taco Deli time!
 +
 
 +
'''Location:''' National Instruments, 11500 N. Mopac.Building
 +
 
 +
'''RSVP:''' http://www.eventbrite.com/event/3418570035
 +
----
 +
 
 +
'''When:''' May 10th, 5:00pm-7:00pm
  
'''Topic: ''' Enterprise Application Security Practices: Real-world Tips and Techniques
+
'''What: ''' Austin Security Professionals Happy Hour, May 10th, Sponsored by Rapid7.
  
How can you re-energize your company’s or institution’s commitment to secure development practices as part of the SDLC, while keeping costs in check? Dell's Security Consulting team created an application security practice with the help of several internal teams in legal, enterprise architecture, vendor management, privacy, compliance, and network engineering. Team members Addison Lawrence, Chad Barker, and Mike Craigue will discuss some of the challenges and opportunities they have faced over the last three years, ramping from 27 project engagements in 2007, to 726 project engagements in 2009. In this session, we will discuss the creation of policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. Also included: awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, penetration testing, exception management, and executive escalations. Tell us what we might do to improve our program and increase our effectiveness; discuss how you could adapt parts of this approach to your own program.
+
'''Where: ''' Sherlocks
 +
----
  
'''Who:''' Addison Lawrence, Chad Barker, and Mike Craigue (Dell, Inc.)
+
'''When:''' April 24th, 11:30a-1:00pm
  
Addison Lawrence has 10 years of experience at Dell with leadership responsibilities in database and data warehouse security, PCI, SOX, and Dell Services security.  He is a part of the Cloud Security Alliance team developing their Controls Matrix.  Previously he worked for 13 years at Mobil Oil (now ExxonMobil) as a software developer and DBA.  He holds an MBA from Texas A&M University and a BS in Computer Science from Texas A&M-Corpus Christi, and is a certified CISSP.
+
'''Topic: ''' Anatomy of Advanced Email Attacks (Aaron Estes, Cigital)
  
Chad has worked at Dell for 10 years primarily in software development. Chad has led global development standardization initiatives including release management automation and static source code analysis. He holds a BS in Information Systems from the University of Texas at Arlington.
+
Abstract:  Email attacks comprise an overwhelming majority of the daily attacks on modern enterprise. The leading mitigation strategy is a combination of user awareness training and email filtering. This talk outlines a proposed solution that brings email risk and awareness information down to the client level in order to better equip end users in making secure decisions when using email.
  
Before joining Dell’s information security team 5 years ago, Mike worked as a database and web application developer at Dell and elsewhere in central Texas. He’s responsible for Dell’s application security strategy globally, and focuses primarily on Dell’s ecommerce site. He holds a PhD in Higher Education Administration / Finance from the University of Texas-Austin, and has the CISSP and CSSLP certifications.
+
Anti-spam capabilities have been incorporated into email client applications for some time now.  These are usually in the form of junk boxes or email filters that attempt to identify spam or other unwanted email.  Most anti-spam clients use bayesian filtering to determine whether an email is spam or not spam, typically using word combinations and statistical analysis to make a determination.  Many experts also advise wary email users to examine the raw email headers in order to attempt to find evidence of an email attack. While this is not bad advise, it is however a highly technical process and one cannot expect the majority of email users to be able to carry out and act upon this advice.  This is the problem that the proposed Advanced Email Risk Classification and Recipient Decision Assistance solution attempts to solve.  The operating name for this solution is Phish Finder.
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels)There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''Who: ''' Aaron Estes, Cigital
 +
 
 +
Aaron Estes came to Cigital from Lockheed Martin where he spend 10 years in the software engineering and security engineering fields. He began his information security career as a system security engineer on the F-35 programAaron has spent the last 5 years as a security engineer and penetration tester for Lockheed Martin Enterprise Business Services specializing in application penetration testing and user awareness/social engineering testing. Aaron is also a professor at Southern Methodist University in Dallas where he teaches senior and graduate level security courses. He has nearly completed his Doctor of Engineering in Software Engineering at Southern Methodist University, has a Masters in Software Engineering from Southern Methodist University and has a Bachelors in Computer Science from University of Texas. Aaron is a Certified Information System Security Professional.
  
 
'''Cost:''' Always Free
 
'''Cost:''' Always Free
  
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.
+
'''RSVP:''' http://www.eventbrite.com/event/3182987401
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
'''When:''' June 14th, 5:00pm-7:00pm
  
 +
'''What: ''' Austin Security Professionals Happy Hour, May 10th, Sponsored by WhiteHat Security.
 +
 +
'''Where: ''' Sherlocks
 
----
 
----
 +
'''When:''' May 29th, from 11:30a-1:00pm
 +
----
 +
 +
'''Topic: ''' Closing the window of opportunity"(Jim Manico and Siri De Licori of WhiteHat Security)
 +
 +
Abstract:Closing the window of opportunity” and will be discussing the state of web application security based on recent statistics drawn from WhiteHat’s database of thousands of sites under service and the characteristics of a program that can help organizations develop a strong web security posture and reduce or eliminate the opportunities attackers have to compromise their applications.
 +
 +
This will be a product agnostic presentation, of course, though we will be using WhiteHat data (along with Jim’s long experience) to present the problems we see and how we can go about solving them.
  
'''When:''' April 22, 2010, 5:00pm - 7:00pm
+
'''Who: Jim Manico and Siri De Licori of WhiteHat Security'''
  
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Fortify)
+
Siri De Licori is a Product Manager for WhiteHat Security.  He led the development of a pre production Dynamic Analysis Software Testing (DAST) service line, and is working to bring out product enhancements which take greater advantage of WhiteHat’s historical scanning and vulnerability data and integrates DAST and SAST results.  He has also worked with Jeremiah to produce statistics for a number of his quarterly reports and whitepapers.
  
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
+
Siri comes from a background of 10 years of development.  He worked with a small software company working on an early rapid application development tool that produced code from UML diagrams, a small nonprofit on a tool to permit English and Chinese speakers to study the bible in its original tongues without learning those ancient languages, and a couple Fortune 500 companies helping them process, utilize, and analyze their financial data.  Before being recruited into product management he specialized in building database systems and data analytics.
 +
 
 +
Siri works at WhiteHat’s home office in Santa Clara and lives in San Francisco.
 +
 
 +
Jim Manico is the VP of Security Architecture for WhiteHat Security. Jim is part of the WhiteHat Static Analysis Software Testing (SAST) team, leading the data-driven, Web service portion of the SAST service. He also provides secure coding and developer awareness training for WhiteHat using his 7+ years of experience delivering developer-training courses for SANS, Aspect Security and others.
 +
 +
Jim brings 15 years of database-driven Web software development and analysis experience to WhiteHat. He has helped deliver Web-centric software systems for Sun Microsystem, Fox Media (MySpace), several Fortune 500's, and major NGO financial institutions. He holds expertise in a variety of areas, includingWeb-based J2EE development, thick-client and applet-based Java applications, hybrid Java, C++ and Flash applications, Web-based PHP applications, rich-media Web applications using advanced Ajax techniques, Python REST Webservice development, and Database technology using Oracle, MySQL and Postgres.
 +
 +
A host of the OWASP Podcast Series, Jim is the committee chair of the OWASP Connections Committee and is a significant contributor to various OWASP projects.
 +
 +
Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.
 +
 
 +
'''Cost:''' Free
 +
 +
'''RSVP:''' http://www.eventbrite.com/event/3418570035
  
 
----
 
----
  
'''When:''' April 27, 2010, 11:30am - 1:00pm
 
  
'''Topic: ''' Automated vs. Manual Security: You can't filter The Stupid
+
'''When:''' May 10th, 5:00pm-7:00pm
 +
 
 +
'''What: ''' Austin Security Professionals Happy Hour, May 10th, Sponsored by Rapid7.
  
Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.
+
'''Where: ''' Sherlocks
 +
----
  
 +
'''When:''' April 24th, 11:30a-1:00pm
  
Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.
+
'''Topic: ''' Anatomy of Advanced Email Attacks (Aaron Estes, Cigital)
  
'''Who:''' Charles Henderson (Trustwave)
+
Abstract: Email attacks comprise an overwhelming majority of the daily attacks on modern enterprise.  The leading mitigation strategy is a combination of user awareness training and email filtering.  This talk outlines a proposed solution that brings email risk and awareness information down to the client level in order to better equip end users in making secure decisions when using email.
  
Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.  
+
Anti-spam capabilities have been incorporated into email client applications for some time now.  These are usually in the form of junk boxes or email filters that attempt to identify spam or other unwanted email.  Most anti-spam clients use bayesian filtering to determine whether an email is spam or not spam, typically using word combinations and statistical analysis to make a determination.  Many experts also advise wary email users to examine the raw email headers in order to attempt to find evidence of an email attack. While this is not bad advise, it is however a highly technical process and one cannot expect the majority of email users to be able to carry out and act upon this advice.  This is the problem that the proposed Advanced Email Risk Classification and Recipient Decision Assistance solution attempts to solve.  The operating name for this solution is Phish Finder.
 +
 
 +
'''Who: ''' Aaron Estes, Cigital
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels)There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
Aaron Estes came to Cigital from Lockheed Martin where he spend 10 years in the software engineering and security engineering fields. He began his information security career as a system security engineer on the F-35 programAaron has spent the last 5 years as a security engineer and penetration tester for Lockheed Martin Enterprise Business Services specializing in application penetration testing and user awareness/social engineering testing. Aaron is also a professor at Southern Methodist University in Dallas where he teaches senior and graduate level security courses. He has nearly completed his Doctor of Engineering in Software Engineering at Southern Methodist University, has a Masters in Software Engineering from Southern Methodist University and has a Bachelors in Computer Science from University of Texas. Aaron is a Certified Information System Security Professional.
  
 
'''Cost:''' Always Free
 
'''Cost:''' Always Free
  
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.
+
'''RSVP:''' http://www.eventbrite.com/event/3182987401
 +
 
 +
'''When:'''April 19th, from 5pm-7pm
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
'''What: ''' Austin Security Professionals Happy Hour, April 19th, Sponsored by Robert Half International.
  
== Future Speakers and Events ==
+
'''Where: Sherlocks'''
  
April 22, 2010 - Austin Security Professionals Happy Hour (Sponsored by Fortify)
+
----
  
April 27, 2010 - Automated vs. Manual Security: You can't filter The Stupid (@National Instruments)
+
'''When:''' March 27th, 1:00pm-5:00pm
  
May 20, 2010 - Austin Security Professionals Happy Hour (Sponsored by BlueCoat)
+
We will be writing Cucumber acceptance and security tests while we build an app as a group.  In the lab, we will have several groups working together writing cucumber tests and code along the way.  Even if you are not a developer or security expert, this event is for you.
  
May 25, 2010 - Attacking Intranets from the Web Using DNS Rebinding (@ National Instruments)
+
'''Who: ''' Mani Tadayon and Tin Zaw
  
June 17, 2010 - Austin Security Professionals Happy Hour (Sponsored by WhiteHat Security)
+
At AT&T Interactive, Mani is part of the team responsible for YP.com. Mani studied foreign languages at UC Berkeley, computer science at Cal State Hayward and is now a graduate student in Geography at Cal State Northridge. He has been developing web applications using open source tools for over 10 years. Currently, his focus is on behavior-driven development with Ruby.
  
June 29, 2010 - Suggest a Topic (@ National Instruments)
+
Tin is currently the president of OWASP Los Angeles chapter. During day time, he works with Mani at AT&T Interactive as an application security architect. Before AT&T, he worked as a software engineer, manager and researcher at QUALCOMM, Inktomi (now Yahoo!), Symantec, MySpace and a Sequoia funded Internet infrastructure startup.Tin holds CISSP and CSSLP certifications from (ISC)2, MS in Computer Science from University of Southern California, and working on an MBA from USC.
  
July 15 2010 - Austin Security Professionals Happy Hour (Sponsored by Praetorian Group)
+
'''Cost:'''  Free, but limited to 30 seats.
  
July 27, 2010 - Suggest a Topic (@ National Instruments)
+
'''RSVP:''' http://www.eventbrite.com/event/3183041563
  
August 12, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour
+
----
  
August 31, 2010 - Suggest a Topic (@ National Instruments)
+
'''When:''' March 27th, 11:30a-1:00pm
  
September 16, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour
+
'''Topic: ''' Cucumber and friends: tools for security that matters
  
September 28, 2010 - Suggest a Topic (@ National Instruments)
+
Behavior-Driven Development (BDD) helps focus software development on delivering prioritized, verifiable business value by providing a common vocabulary that spans the divide between Business and Technology. Cucumber is a widely used tool in Ruby community for implementing BDD and it executes plain-text functional descriptions as automated tests. In this talk, Mani and Tin will discuss how Cucumber and related tools can be used to define and verify security features that matter in software.
  
October 14, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour
+
'''Who: ''' Mani Tadayon and Tin Zaw
  
October 26, 2010 - Suggest a Topic (@ National Instruments)
+
At AT&T Interactive, Mani is part of the team responsible for YP.com. Mani studied foreign languages at UC Berkeley, computer science at Cal State Hayward and is now a graduate student in Geography at Cal State Northridge. He has been developing web applications using open source tools for over 10 years. Currently, his focus is on behavior-driven development with Ruby.
 +
 
 +
Tin is currently the president of OWASP Los Angeles chapter. During day time, he works with Mani at AT&T Interactive as an application security architect. Before AT&T, he worked as a software engineer, manager and researcher at QUALCOMM, Inktomi (now Yahoo!), Symantec, MySpace and a Sequoia funded Internet infrastructure startup.Tin holds CISSP and CSSLP certifications from (ISC)2, MS in Computer Science from University of Southern California, and working on an MBA from USC.
 +
 
 +
'''Cost:''' Always Free
  
November 2010 - No Meeting (Happy Holidays!)
+
'''RSVP:''' http://www.eventbrite.com/event/3147433057
  
December 2010 - No Meeting (Happy Holidays!)
+
----
  
==== Record Hall of Meetings ====
 
  
'''When:''' March 18, 2010, 5:00pm - 7:00pm
+
'''When:''' March 8, 2012, 5:00pm - 7:00pm  
  
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Denim Group)
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Fireeye)  
  
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
Line 102: Line 2,109:
 
----
 
----
  
'''When:''' February 23, 2010, 11:30am - 1:00pm  
+
'''When:''' February 28, 2012, 11:30am - 1:00pm  
  
'''Topic: ''' Advanced Persistent Threat - What Does it Mean for Application Security?
 
  
Targeted attacks, slow moving malware, foreign intelligence/government sponsored hackers, corporate/industrial espionage – all fun and games? Not really. These vectors are occurring today, and the threat vector has bled into the application space.  What do you have to contend with once it passes through the firewall.
+
'''Topic: ''' Testing From the Cloud: Is the Sky Falling?
 +
 +
More and more IT is being moved to the cloud, why shouldn't your testing
 +
move there too? This talk will cover what it takes to take your testing
 +
tools from your laptop to the cloud using new features of the OWASP Web
 +
Testing Environment (WTE). WTE allows you to create custom installations
 +
of application security tools in the cloud on demand. Has your IP been
 +
shunned? No problem, kill that cloud instance and startup another. Is
 +
your life as mobile as your phone? No problem, a laptop + Internet =
 +
access to all your favorite tools from anywhere. Multiple clients? No
 +
problem, start an an instance for each one. By the end of this talk,
 +
you'll know all you need to fire up an cloud instance with all of your
 +
favorite tools and start having fun.
 +
  
'''Who:''' Matt Pour (Blue Coat Systems)
+
'''Who:''' Matt Tesauro (Rackspace)
  
Matt is a Systems Engineer for Blue Coat Systems. Utilizing over ten years of information security experience, Matt provides subject matter expertise of ensuring security effectiveness while addressing business controls and requirements to a multitude of industries regardless of size and scope. Previous to Blue Coat Systems, Matt Pour was a Security Solutions Architect and X-Force Field Engineer for IBM ISS.
+
Matt is currently on the board of the OWASP Foundation and highly
 +
involved in many OWASP projects and committees. Matt is the project
 +
leader of the OWASP WTE (Web Testing Environment) which is the source of
 +
the OWASP Live CD Project and Virtual Machines pre-configured with tools
 +
and documentation for testing web applications. Industry designations
 +
include the Certified Information Systems Security Professional (CISSP)
 +
and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics
 +
and a M.S in Management Information Systems from Texas A&M University.
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
 
  
 
'''Cost:''' Always Free
 
'''Cost:''' Always Free
  
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.
+
'''RSVP:''' http://www.eventbrite.com/event/2967474797
 +
----
 +
 
 +
 
 +
'''Topic: Half-Day Threat Modeling Seminar with John Steven of Cigital'''
 +
 
 +
How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management.
 +
 
 +
Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.
 +
 
 +
'''Who:''' John Steven(Cigital)
 +
 
 +
John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
 +
 
 +
'''Where:''' Microsoft Technology Center, Quarry Oaks 2, 10900 Stonelake Blvd
 +
 
 +
'''When:''' February 9th, from 1:00pm to 4:30pm
 +
 
 +
'''Cost:'''
 +
 
 +
The cost is free, but seating is limited, so register soon at the below link!
 +
 
 +
http://austinthreatmodel2012.eventbrite.com/
 +
 
 +
 
 +
----
 +
 
 +
'''When:''' February 9th, 2012, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Cigital)
 +
 
 +
'''Where:''' Weirdos
 +
 
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
 +
==2011==
 +
----
 +
 
 +
'''When:''' October 28, 2011, 8:00am - 5:00pm
 +
 
 +
'''Topic: ''' Lonestar Application Security Conference (LASCON)
 +
 
 +
'''Who Should Attend LASCON 2011:'''
 +
 
 +
*Application Developers
 +
*Application Testers and Quality Assurance
 +
*Application Project Management and Staff
 +
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
 +
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
 +
*Security Managers and Staff
 +
*Executives, Managers, and Staff Responsible for IT Security Governance
 +
*IT Professionals Interested in Improving IT Security<br>
 +
 
 +
'''Where:''' Norris Conference Center, Austin, TX
 +
 
 +
----
 +
 
 +
'''When:''' September 29, 2011, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by HP/Fortify)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 +
 
 +
----
 +
 
 +
'''When:''' September 27, 2011, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' STAAF: A FLOSS Framework for Scalable and Sharable Android App Analysis
 +
 
 +
With no end of Android malware anywhere in sight, it’s no wonder that so many Android analysis tools have been released lately.  While each of these powerful tools makes great strides in finding artifacts in an individual application, they’re typically not designed to scale beyond a few thousand selected samples at most.  In order to effective insight into android applications researchers need to be be able to analyze a substantial subset of the 300k+ applications in the official store, all of the applications across the disparate unofficial Android stores and repositories, as well as ad-hoc manually-submitted applications.  This was the motivation for STAAF, a Scalable Tailored Application Analysis Framework.  STAAF was designed to allow an analyst to easily add/remove/configure various analysis modules, then process large numbers of applications at once or over time, then share the raw data, processed data, and results with other organizations.  In this presentation I’ll cover the STAAF Architecture, the current status and available implementation, and if circumstances permit, show a quick demo with a handful of applications.
 +
 
 +
'''Who:''' Ryan Smith (Praetorian)
 +
 
 +
At Praetorian, Ryan's current focus is on the development of technology and systems in support of computer network defense, attack, and exploitation. Prior to joining Praetorian, Ryan Smith was an Associate Staff member of the Information Systems Technology Group at MIT Lincoln Laboratory. His previous work at Lincoln Labs was in the code analysis group, in which he focused on the development of a prototype tool to automate the malware analysis process using information flow and virtual machine introspection. Prior to Lincoln Laboratory, Mr. Smith worked at 21st Century Technologies and Applied Research Labs in Austin, TX, and PricewaterhouseCoopers in Dallas, TX. Previous work has included graph-based network attack correlation, steganography, netflow traffic analysis, vulnerability and risk analysis, and identity management.
 +
 
 +
Ryan has been an active member of the Honeynet Project since 2002, in which he participated in the testing and development of various honeynet technologies, and was invited to give several talks on the usefulness of honeynets for strengthening network security as well as research. While at the University of Texas, Ryan was the head of the local information security group on campus, and the organizer of the local cyber "capture the flag" exercise. As a result of this position, he was invited to a NFS funded workshop to determine the efficacy of a National Collegiate Cyber Defense Exercise, and subsequently assisted in the organization of the inaugural Collegiate Cyber Defense Competition, which now hosts over 50 Universities in 8 regional qualifiers and a finalist round in San Antonio. While at the University of Texas, Ryan also led a team of graduate students to design and implement a prototype of an automated polymorphic shellcode analyzer to extract the system calls and parameters of arbitrarily obfuscated Windows shellcode.
 +
 
 +
Industry designations include the Certified Information Systems Security Professional (CISSP). Ryan received a B.S in Electrical Engineering from The University of Texas in Austin, where he focused on information assurance and network communications. Ryan received a M.S. in Security informatics from Johns Hopkins, where he focused on network and systems security as well as privacy and technical public policy.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
 +
 
 +
'''Cost:''' Always Free
 +
 
 +
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.
 +
 
 +
[http://www.eventbrite.com RSVP on Eventbrite]
 +
 
 +
----
 +
 
 +
'''When:''' August 30, 2011, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data Exfiltration
 +
 
 +
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
 +
 
 +
In this session we will cover:
 +
 
 +
* Prevalence of backdoors and malicious code in third party attacks
 +
 
 +
* Definitions and classifications of backdoors and their impact on your applications
 +
 
 +
* Methods to identify, track and remediate these vulnerabilities
 +
 
 +
'''Who:''' Joe Brady (Veracode)
 +
 
 +
Joe Brady is a Senior Solutions Architect at Veracode with over 25 years of experience in software application development and security. His professional experience includes advising customers on data at rest encryption solutions at Credant Technology, IT risk and portfolio management at Prosight (now Oracle), and application software development as a consultant and software development manager for various companies. Joe began programming as a physics undergrad and developed early microprocessor based instrumentation at Cornell, where he received a Master of Science degree in Applied and Engineering Physics. He has had an interest in software security, and backdoors in particular, since reading “Reflections on Trusting Trust” by Ken Thompson where he describes planting what we now call a backdoor in the UNIX compiler.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
 +
 
 +
'''Cost:''' Always Free
 +
 
 +
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.  
 +
 
 +
[https://www.owasp.org/images/a/a4/Protecting_Your_Applications_From_Backdoors.pdf Protecting Your Applications From Backdoors]
 +
 
 +
----
 +
 
 +
'''When:''' August 18, 2011, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Set Solutions)
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
 
----
 
----
  
'''When:''' February 11, 2010, 5:00pm - 7:00pm
+
'''When:''' July 14, 2011, 5:00pm - 7:00pm  
  
'''What: '''Austin Security Executives Happy Hour (Sponsored by WhiteHat Security)
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by BlueCoat)  
  
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
Line 130: Line 2,274:
 
----
 
----
  
'''When:''' January 26, 2010, 11:30am - 1:00pm  
+
'''When:''' June 28, 2011, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Introduction to the OWASP Secure Coding Practices Quick Reference Guide
 +
 
 +
The OWASP Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy to read and digest.
 +
 
 +
The focus is on secure coding requirements, rather than on vulnerabilities and exploits. In this respect it is targeted more precisely for the development community, as opposed to the security community.
 +
 
 +
This presentation will introduce this OWASP project and discuss some of the core concepts and principles of the requirements.
 +
 
 +
'''Who:''' Keith Turpin CISSP, CSSLP, CRISC (Boeing)
 +
 
 +
Keith leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations.
 +
 
 +
Keith represents Boeing on the International Committee for Information Technology Standard's cyber security technical committee and serves as a U.S. delegate to the International Standards Organization's sub-committee on cyber security.
 +
 
 +
Keith is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. 
 +
 
 +
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics. 
 +
 
 +
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well.
 +
 
 +
[http://www.eventbrite.com/event/1696750025 RSVP on Eventbrite]
 +
 
 +
----
 +
 
 +
'''When:''' June 17, 2011, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Rapid7)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 +
 
 +
----
 +
 
 +
'''When:''' June 17, 2011, 1:30pm - 5:00pm
 +
 
 +
'''Topic:''' Penetration Testing with Metasploit Half-Day Seminar
 +
 
 +
'''Who:''' Raphael Mudge
 +
 
 +
'''Where:''' Microsoft Technology Center (Quarry Oaks 2, 10900 Stonelake Blvd, Suite 225, Austin, TX 78759)
 +
 
 +
[http://www.hick.org/~raffi/austin_slides.pptx Penetration Testing with Metasploit]
 +
 
 +
----
 +
 
 +
'''When:''' May 31, 2011, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Why Hackers.org Doesn't Get Hacked
 +
 
 +
Ha.ckers.org has suffered nearly every attack a website can. These attacks include robots, sophisticated web-based attacks, brute force, denial of service, and network based attacks. This speech will explain the other side of protecting high risk websites - the configurations, operating system, and network.
 +
 
 +
'''Who:''' James Flom (SecTheory)
 +
 
 +
Mr. Flom has been working in the computer industry for the past sixteen years and has spent the last twelve heavily involved in computer and network security. As lead operations engineer of Pilot Network Services' security department he researched network and computer threats on a daily basis protecting some of the largest companies and organizations in the world. He designed and implemented what was believed to be at the time, the largest network intrusion detection system in the world, protecting over half a million computers.
 +
 
 +
Mr. Flom later joined Digital Island (acquired by Cable & Wireless and merged with Exodus), where he created new product offerings for the Security Operations Center he was brought on to build. After the merger with Exodus James joined the Cyber Attack Tiger Team and assisted with the detection and recovery of several global network security compromises. Mr. Flom later became the director of consulting services for Kliosystems before co-founding SecTheory. He is a member of IACSP.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
 +
 
 +
[https://www.owasp.org/images/2/2e/Hacking_ha_ckers.pptx Why Ha.ckers.org Doesn't Get Hacked]
 +
 
 +
----
 +
 
 +
'''When:''' May 5, 2011, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by FireEye)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 +
 
 +
----
 +
 
 +
'''When:''' April 26, 2011, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Rugged Dev: Building Reliability and Security Into Software
 +
 
 +
Complex systems fail over time and the larger they are, the more likely they are to fail in unforeseen ways. Come hear about the best practices we used and lessons learned when we built very large scale cloud-based products. Once exposed to the Internet, complex multi-tenant Web systems encounter a wide range of input from a variety of sources but still have to be long running and behave resiliently in the face of failures. We will examine 3 implementations of Rugged best practices to design and test your software for ruggedness.
 +
 
 +
'''Who:''' James Wickett (National Instruments)
 +
 
 +
James graduated from the University of Oklahoma in 2004 with a BBA in MIS, where he also ran a Web startup company.  He joined the IT division of National Instruments, where he helped run the NI Web site, ni.com, for several years.  In 2007 he moved on to lead the Web division of a rapidly growing local publisher, Community Impact.  In 2010, he came back to NI, this time to the LabVIEW R&D group, where he leads up security and operations for several cloud-based SaaS products.  Over the last several years, James has been involved in the Austin chapter of OWASP as the Chapter President (2007-2009) and as the Chapter VP (2010-present).  With his involvement in OWASP, he also co-chaired the Lonestar Application Security Conference (LASCON) which was the first OWASP conference in Austin.
 +
 
 +
He is a security expert, bearing CISSP, GCFW, GWAS, and CCSK certifications.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well.
 +
 
 +
----
 +
 
 +
'''When:''' April 14, 2011, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Veracode)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 +
 
 +
----
  
'''Topic: ''' Reducing Your Data Security Risk Through Tokenization
+
'''When:''' March 29, 2011, 11:30am - 1:00pm
  
The first Austin OWASP meeting of the year is on a really interesting topic that many of you have probably never thought about: Tokenization.  The concept is simple...use tokens to represent your data instead of passing around the data itself.  For example, why would you give a customer account representative a full credit card number when all they need to do their job is the last four digits?  Using tokenization, we are able to reduce the data security risk by limiting the number of systems that actually store the data.  This extremely simplifies audits for regulations like SOX, HIPAA, and PCI DSS.  This presentation will cover the business drivers for data protection, what tokenization is, and how to implement it.  If your organization has data to protect, then you're going to want to check out this presentation.
+
'''Topic: ''' OWASP ROI: Optimize Security Spending Using OWASP
  
'''Who:''' Josh Sokol (National Instruments)
+
Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.
  
Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].
+
'''Who:''' Matt Tesauro (Praetorian)
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Praetorian, Matt was a Security Consultant at Trustwave's Spider Labs. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.
  
'''Cost:''' Always Free
+
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.
  
'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.
+
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' January 14, 2010, 5:00pm - 7:00pm
+
'''When:''' March 10, 2011, 5:00pm - 7:00pm  
  
'''What: '''Austin Security Executives Happy Hour
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Infoblox)
  
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
Line 158: Line 2,398:
 
----
 
----
  
'''When:''' November 17, 2009, 11:30am - 1:00pm  
+
'''When:''' February 22, 2011, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Supercharged Password Cracking Techniques
 +
 
 +
In the past 2-3 years there have been many important discoveries/releases in
 +
the world of password cracking. Between massive password leaks (like RockYou,
 +
Gawker, etc) and the release of many free tools that take advantage of
 +
the processing power of GPU cards, there are many new techniques/tools/tricks
 +
that security professionals should be taking advantage of while cracking
 +
passwords. But, by default tools you download (Like John the Ripper) do not
 +
take advantage of this.
 +
 
 +
Over the past 12 years, Rick has been collecting password hashes from various
 +
large corporations (during authorized penetration tests). For years now, he
 +
has been cracking these passwords, and discovering more and more patterns that
 +
users are using. But the majority of password cracking tools out there
 +
(Such as John the Ripper, L0phtCrack, etc) do not take advantage of these
 +
"human weaknesses" in password creation. So far Rick has cracked almost 4
 +
million hashes from inside corporate America, and an additional 5+ million
 +
from sources over the Internet.
 +
 
 +
During this talk Rick will talk about the current state of password cracking
 +
by walking the attendees through a PWDUMP output file containing 49000+
 +
real "complex" NTLM passwords) how the default rule-set provided by John
 +
the Ripper can be improved to crack tens of thousands of additional passwords.
 +
Wordlists/Dictionaries will be shared that can help you better crack
 +
passwords (these wordlists were created based on what users are _actually_
 +
doing in Fortune 500 environments). New "rules" will be given out that were
 +
created to specifically attack the patterns that users are choosing.
 +
 
 +
This is relevant to OWASP, because the applications we are developing/securing
 +
almost always have logins and passwords that protect them. But, unlike Operating
 +
Systems, our web applications do not usually have strict password requirements
 +
that users have to meet in order to create an account. We do this as to not
 +
scare away users; but we are placing our OWN systems at risk.
 +
 
 +
Even now, sites like Google/Twitter/Facebook only warn the users about poor
 +
passwords, or have a list of 500 passwords that are not allowed. This will
 +
_not_ be the case in 10 years.  Lets address this problem now.
 +
 
 +
The only way to address the problem, is to first become aware of how bad
 +
our users are at choosing passwords , and what we can do (as developers or
 +
security professionals) to help protect our users from themselves.
 +
 
 +
'''Who:''' Rick Redman (Korelogic)
 +
 
 +
During his 12 years as a security practitioner, Rick has delivered numerous
 +
application and network penetration tests for a wide range of Fortune 500
 +
and government clients.  He serves as KoreLogic's subject matter expert in
 +
advanced password cracking systems and coordinated the "Crack Me if You Can"
 +
Contest at DefCon 2010. Additionally, Rick presents at a variety of security
 +
forums such as the Techno-Security Conference, ISSA Chapters and AHA (Austin
 +
Hackers Anonymous).  Rick also provides technical security training on
 +
topics such as web application security. Rick also delivers web application
 +
security training to management, developers and security staff. Rick has
 +
served as a member of a penetration testing tiger team supporting Sandia
 +
National Laboratories.  Mr. Redman is a graduate of Purdue University with a
 +
degree in Computer Science from the COAST/CERIAS program under Eugene Spafford.
 +
Rick started performing application layer security tests of applications in
 +
2000, before inline web-proxies existed.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C
 +
 
 +
[http://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf Supercharged Password Cracking Techniques] 
 +
 
 +
----
 +
 
 +
'''When:''' February 10, 2011, 5:00pm - 7:00pm  
  
'''Topic: ''' Tracking the progress of an SDL program: lessons from the gym
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Cisco)
  
Forcing muscle growth is a long process which requires high intensity 
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
weight training and high mental concentration. While the ultimate goal is 
 
often clear, one of the greatest mistakes bodybuilders consistently make is 
 
to overlook the importance of tracking their weight lifting progress.
 
  
Like a successful bodybuilding workout, a security development lifecycle 
+
----
program must consistently log simple to obtain, yet meaningful metrics 
 
throughout the entire process. Good metrics must lack subjectivity and 
 
clearly aid decision makers to determine areas that need improvement. In 
 
this presentation we’ll discuss metrics used to classify and appropriately 
 
compare security vulnerabilities found in different phases of the SDL by 
 
different teams working in different locations and in different products. 
 
We’ll also discuss how to easily provide decision makers different views of 
 
the same data and verify whether the process is indeed catching critical 
 
vulnerabilities internally.
 
  
'''Who:''' Cassio Goldschmidt (Symantec)
 
  
Cassio Goldschmidt is senior manager of the product security team under the 
+
'''When:''' January 25, 2011, 11:30am - 1:00pm
Office of the CTO at Symantec Corporation. In this role he leads efforts 
 
across the company to ensure the secure development of software products. 
 
His responsibilities include managing Symantec’s internal secure software 
 
development process, training, threat modeling and penetration testing. 
 
Cassio’s background includes over 12 years of technical and managerial 
 
experience in the software industry. During the six years he has been with 
 
Symantec, he has helped to architect, design and develop several top 
 
selling product releases, conducted numerous security classes, and 
 
coordinated various penetration tests.
 
  
Cassio represents Symantec on the SAFECode technical committee and (ISC)2 
+
'''Topic: ''' Smart Phones with Dumb Apps
in the development of the CSSLP certification. He holds a bachelor degree 
 
in computer science from Pontificia Universidade Catolica do Rio Grande Do 
 
Sul, a masters degree in software engineering from Santa Clara University, 
 
and a masters of business administration from the University of Southern 
 
California.
 
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.
  
'''Cost:''' Always Free
+
'''Who:''' Dan Cornell (Principal, Denim Group)
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization's technology team overseeing methodology development and project execution for Denim Group's customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. In addition, Dan Cornell performed as the CTO of BrandDefense, architecting and developing their cutting-edge intellectual property protection technologies. Over a one year period of development he brought their web-based intellectual property protection technologies through three major versions, surpassing the applications of well funded and entrenched competitors. Previously he was the Vice President, Global Competency Leader for Rare Medium's Java and Unix competency center, based in San Antonio, Texas with development centers in New York, San Francisco, Atlanta and Sydney, Australia. He directed the development of best practices and policy for the cornerstone of Rare Medium's technical development arm, specializing in server-side Java application development. Prior to its acquisition by Rare Medium, Cornell was a founder and Vice President of Engineering for Atension, Inc. where he led the technical development team and served as the architect for the company's internal engineering practices. In March 1999, Texas Monthly magazine named Cornell and his partners, Sheridan Chambers and Tyson Weihs, to its list of 30 "Multimedia Whizzes Under Thirty" doing business in Texas.
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' October 27, 2009, 11:30am - 1:00pm  
+
'''When:''' January 13, 2011, 5:00pm - 7:00pm  
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Rapid7)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
'''Topic: ''' Vulnerability Management In An Application Security World
+
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
  
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk.  Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules.  In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
+
==2010==
 +
----
  
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams.  Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
+
'''When:''' October 29, 2010, 8:00am - 5:00pm
  
'''Who:''' Dan Cornell (Denim Group)
+
'''Topic: ''' Lonestar Application Security Conference (LASCON)
  
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
+
'''Who Should Attend LASCON 2010:'''
  
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.
+
*Application Developers
 +
*Application Testers and Quality Assurance
 +
*Application Project Management and Staff
 +
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
 +
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
 +
*Security Managers and Staff
 +
*Executives, Managers, and Staff Responsible for IT Security Governance
 +
*IT Professionals Interested in Improving IT Security<br>
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''Where:''' Norris Conference Center
  
'''Cost:''' Always Free
+
'''Cost:''' $100 for OWASP members, $150 for non-members (includes 1 year OWASP membership)
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
<br>
 +
[[Image:LACON2010Schedule.png|800px|link=http://www.lascon.org|LASCON 2010 Schedule]]
  
[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]
+
<!-- Mediawiki needs all these spaces -->
  
 
----
 
----
  
'''When:''' September 29, 2009, 11:30am - 1:00pm  
+
'''When:''' September 28, 2010, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In
 +
 
 +
This presentation demonstrates how important application security is to the overall stability and security of the infrastructure and the ultimately, the business. Presented from the Information Security Officer/Risk Manager point of view, it shows how a strong information security program reduces levels of reputational, operational, legal, and strategic risk by limiting vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on the top concerns of risk managers and how application security fits into the overall risk management process. The audience will be given recommendations on how to improve cost effectiveness and efficiency to achieve business, security, audit, and compliance objectives relative to applications.
 +
 
 +
'''Who:''' Peter Perfetti (Impact Security LLC)
  
'''Topic: ''' OWASP ROI: Optimize Security Spending using OWASP
+
Mr. Perfetti has been working in information security for fifteen years. He has been involved in IT Security for the financial services industry for ten years where he has worked as an Information Security Officer as well as having been responsible for vulnerability and threat management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager of Systems Administration and was the Director of IT Risk Management for the National Basketball Association. He has a broad range of experience in both operations and security. Mr. Perfetti provided governance and guidance over risk and compliance issues for the Americas region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities were primarily to manage the risk for infrastructure related technology and operations. Other duties included audit, business continuity, investigations, and security operations oversight. Most recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving high performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention, and Recovery; as well as developing, enhancing, and implementing Security and Risk Management programs.
  
Considering the current economic times, security spending is tighter than ever.  This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way.  OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security.  Projects covered include the OWASP Top 10, OWASP Testing Guide,  Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others.  A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided.  In this case study the company realized annual reduction in spending of several hundred thousand dollars.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Who:''' Matt Tesauro
+
[http://www.owasp.org/images/9/97/Technology_and_Business_Risk_Management_How_Application_Security_Fits_In.pdf Technology and Business Risk Management: How Application Security Fits In]
  
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester.  Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security, developing a Secure SDLC and launching a two-year application security program for Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx.  Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.  He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
+
----
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''When:''' September 16, 2010, 5:00pm - 7:00pm
  
'''Cost:''' Always Free
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by F5 and Accuvant)
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
 
----
 
----
  
'''When:''' August 25, 2009, 11:30am - 1:00pm  
+
'''When:''' August 31, 2010, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Application Assessments Reloaded
 +
 
 +
Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration-testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration-testing be re-used and turned into something innovative?
 +
 
 +
Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration-testing tools.
 +
 
 +
Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?
 +
 
 +
This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).
  
'''Topic: ''' Threat Modeling
+
'''Who:''' Andre Gironda
  
In this talk, Michael will discuss Microsoft SDL Threat Modeling, how to apply it to design more secure applications and finally, will show a demo and hold a short lab exercise.
+
Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company, worked as an appsec consultant for many years, and recently joined a large online gaming company. He is known for his quirky mailing-list posts and blog comments -- and at one time wrote for tssci-security.com.
  
'''Who:''' Michael Howard, PRINCIPAL Security Program Manager, Microsoft's Security Engineering Team
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft’s software.  
+
[http://www.owasp.org/images/1/16/Owasp-austin-2010-gironda-reloaded.ppt Application Assessments Reloaded]
 
Howard began his career with Microsoft in 1992 at the company’s New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software. In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft’s next-generation web server, before moving to his current role in 2000.
 
  
Howard is an editor of IEEE Security & Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and  design, Howard is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and his most recent release, Writing Secure Code for Windows Vista
+
----
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''When:''' August 12, 2010, 5:00pm - 7:00pm
  
'''Cost:''' Always Free
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by WhiteHat Security)
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
 
----
 
----
  
'''When:''' July 28, 2009, 3:30pm - 5:00pm  
+
'''When:''' July 27, 2010, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Data Attack Anatomy: Stopping Bad Guys &amp; Satisfying Auditors with Pragmatic Database Security
  
'''Topic: ''' Slowloris: A DOS tool for Apache
+
Corporate databases and their contents are under siege. From outside the organization, criminals can exploit web applications to steal confidential information for financial gain. From the inside, databases can be compromised by employees and contractors with malicious intent. SQL Injection, platform vulnerabilities, buffer overflows ... databases are vulnerable to a myriad of threats and attack vectors.
  
Slowloris was designed and developed as a low bandwidth denial of service tool to take advantage of an architectural design flaw in Apache web servers.  It was quickly picked up and used by Iranian government protesters.  This speech will cover the technical issues around the design flaw, and the events prior to, during and since the release of the tool.
+
In this session John Marler, a Senior Security Engineer with Imperva, will discuss the challenges of data security requirements imposed by today’s regulations, how organizations are achieving success and why organizations should do more than comply.
  
'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org
+
'''Who:''' John Marler (Imperva)
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
John is a Senior Security Engineer with Imperva and has a decade of experience in designing, deploying and managing large infrastructure and network security solutions for Fortune 500 enterprises. After seven years with Dell IT, John moved into a network security consulting role for an IBM partner and went on to evangelize network security consolidation and simplification with Crossbeam Systems. Currently he is a senior security engineer with Imperva and specializes in web application and database security.  
  
'''Cost:''' Always Free
+
John is a graduate of Texas A&amp;M University with a BBA in Information and Operations Management and holds multiple industry certs including Cisco networking &amp; design specializations, CheckPoint firewall, and TippingPoint IPS.
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
'''Where:''' National Instruments, 11500 N Mopac, Building B
  
 
----
 
----
  
'''When:''' June 25, 2009, 5:00pm - 8:00pm  
+
'''When:''' July 15, 2010, 5:00pm - 7:00pm  
  
'''Topic: ''' OWASP/ISSA/ISACA June Happy Hour Sponsored by VMWare!!!
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Praetorian)
  
'''Where:''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)  
  
 
----
 
----
  
'''When:''' June 30, 2009, 3:30pm - 5:00pm  
+
'''When:''' June 29, 2010, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' AJAX Security
 +
 
 +
We will discuss what AJAX is, and how the different technologies combine to make it up. We will discuss some of the unique features, toolkits, and coding considerations, as well as security pitfalls, and ways to protect and detect them.
 +
 
 +
*Introduction to AJAX
 +
*Security Issues with architecture
 +
*Toolkits
 +
*Toolkit Security Concerns
 +
*Bridges and Issues
 +
*Attacking AJAX
 +
*Defending AJAX
 +
*Securing the Code
 +
*Best Practices
 +
*Other Issues and Concerns
 +
*Q and A
  
'''Topic: ''' Web 2.0 Cryptology - A Study in Failure
+
'''Who:''' Brad Causey
  
'''Who:''' Travis
+
Brad Causey is an active member of the security and forensics community world­wide. Brad tends to focus his time on Web Application security as it applies to global and enterprise arenas. He is currently employed at a major international financial institution as a security analyst. Brad is the President of the OWASP Alabama chapter, a member of the OWASP Global Projects Committee and a contributor to the OWASP Live CD. He is also the President of the International Information Systems Forensics Association chapter in Alabama. Brad is an avid author and writer with hundreds of publications and several books. Brad currently holds certifications in the following arenas: MCSA, MCDBA, MCSE, MCT, MCP, GBLC, GGSC­100, C|EH, CIFI, CCNA,IT Project Management+, Security+, A+, Network+, CISSP, CGSP.
  
'''Travis's Bio:''' Travis H. is an jack-of-all-trades and independent security
+
'''Where:''' National Instruments, 11500 N Mopac, Building C  
enthusiast.  He has worked in the AFCERT looking for intrusions into
 
Air Force computers, and handled application security and cryptography
 
issues for Paypal.  He is currently a programmer for Giganews in
 
Austin. He is also the author of an online book on security called
 
"Security Concepts", located here:
 
  
http://www.subspacefield.org/security/security_concepts.html
+
----
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''When:''' June 17, 2010, 5:00pm - 7:00pm
  
'''Cost:''' Always Free
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Set Solutions)
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
 
----
 
----
  
'''When:''' May 26, 2009, 11:30am - 1:00pm  
+
'''When:''' May 25, 2010, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Javascript Hijacking
 +
 
 +
This attack is an offshoot of Cross-Site Request Forgery (CSRF) and is common when AJAX is involved. It was well publicized in 2007 when the gmail contact list was found by Jeremiah Grossman to be vulnerable to it. This presentation will include a technical explanation of the attack, a demonstration, and a discussion.
 +
 
 +
'''Who:''' Ben Broussard (UT Austin)
  
'''Topic: ''' Clickjack This!
+
Ben Broussard is a developer for the University of Texas at Austin with an academic background in mathematics, specifically cryptography. At UT he has translated and prioritized web application attacks in relation to the environment that the developers are working in. Ben is currently leading a web application security focused team of developers from different departments around campus.
  
This speech will cover clickjacking - one of the most obscure client side hacking techniques.  After the speech at the world OWASP conference was canceled due to Adobe asking for more time to construct a patch, Robert Hansen never ended up doing a complete speech on the topic.  This presentation will cover some of the history of how this exploit came to be, how it works, and how it eventually turned into real world weaponized code.
+
'''Topic: ''' Attacking Intranets from the Web Using DNS Rebinding
  
'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org
+
DNS Rebinding works by implementing code that circumvents the web browser's same-origin policy and penetrates your private network. The exploit was popularized by RSnake in 2009. This presentation will explore how DNS Rebinding works, a walk-thru of a running demo, and what it means to your organization.  
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''Who:''' James Wickett (National Instruments)  
  
'''Cost:''' Always Free
+
James is the current Vice President of the Austin OWASP chapter and the former President. He works for National Instruments as a Web Systems Engineer in the R&amp;D department. Current certifications: CISSP, GCFW, GWAS
  
'''Questions or help with Directions...''' call: James Wickett 512-964-6227.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' April 28, 2009, 11:30am - 1:00pm  
+
'''When:''' May 20, 2010, 5:00pm - 7:00pm  
 +
 
 +
'''What: '''Austin Security Professionals Happy Hour (Sponsored by BlueCoat)
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
 +
 
 +
----
  
'''Topic: ''' Architecting Secure Web Systems
+
'''When:''' April 27, 2010, 11:30am - 1:00pm
  
For this month's presentation, we diverge from the typical OWASP topics of writing secure code, testing to make sure your code is secure, and other code related topics and delve into the process of actually architecting a secure web application from the ground up.  We'll start with some basic n-tier architecture (web vs app vs DB), throw in some firewall and DMZ concepts, then talk about server hardening with client firewalls (iptables), disabling services, and other techniques. Whether you're a code monkey wondering how the rest of the world works, a security guy trying to figure out what you're missing, or an auditor just trying to understand how the pieces fit together, this presentation is for you.
+
'''Topic: ''' Automated vs. Manual Security: You can't filter The Stupid
  
'''Who:''' Josh Sokol
+
Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.
  
'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002.  Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments.  In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog] and recently presented at the TRISC 2009 Conference.
+
<br> Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.  
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''Who:''' Charles Henderson (Trustwave)  
  
'''Cost:''' Always Free
+
Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' April 23rd, 2009, 5:00pm - 7:00pm  
+
'''When:''' April 22, 2010, 5:00pm - 7:00pm  
  
'''Topic: ''' OWASP April Happy Hour
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Fortify)
  
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)  
  
 
----
 
----
  
'''When:''' March 31, 2009, 11:30am - 1:00pm  
+
'''When:''' March 30, 2010, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Enterprise Application Security Practices: Real-world Tips and Techniques
 +
 
 +
How can you re-energize your company’s or institution’s commitment to secure development practices as part of the SDLC, while keeping costs in check? Dell's Security Consulting team created an application security practice with the help of several internal teams in legal, enterprise architecture, vendor management, privacy, compliance, and network engineering. Team members Addison Lawrence, Chad Barker, and Mike Craigue will discuss some of the challenges and opportunities they have faced over the last three years, ramping from 27 project engagements in 2007, to 726 project engagements in 2009. In this session, we will discuss the creation of policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. Also included: awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, penetration testing, exception management, and executive escalations. Tell us what we might do to improve our program and increase our effectiveness; discuss how you could adapt parts of this approach to your own program.
 +
 
 +
'''Who:''' Addison Lawrence, Chad Barker, and Mike Craigue (Dell, Inc.)
 +
 
 +
Addison Lawrence has 10 years of experience at Dell with leadership responsibilities in database and data warehouse security, PCI, SOX, and Dell Services security. He is a part of the Cloud Security Alliance team developing their Controls Matrix. Previously he worked for 13 years at Mobil Oil (now ExxonMobil) as a software developer and DBA. He holds an MBA from Texas A&amp;M University and a BS in Computer Science from Texas A&amp;M-Corpus Christi, and is a certified CISSP.
 +
 
 +
Chad has worked at Dell for 10 years primarily in software development. Chad has led global development standardization initiatives including release management automation and static source code analysis. He holds a BS in Information Systems from the University of Texas at Arlington.
  
'''Topic: ''' PCI Compliance and Web App Security
+
Before joining Dell’s information security team 5 years ago, Mike worked as a database and web application developer at Dell and elsewhere in central Texas. He’s responsible for Dell’s application security strategy globally, and focuses primarily on Dell’s ecommerce site. He holds a PhD in Higher Education Administration / Finance from the University of Texas-Austin, and has the CISSP and CSSLP certifications.
  
The purpose of this presentation is to give an objective view of PCI Compliance including the good, the bad and the ugly.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
Topics covered include:
+
[http://www.owasp.org/images/c/cc/Enterprise_Application_Security_Practices.ppt Enterprise Application Security Practices: Real-world Tips and Techniques]
  
      What do an ASV really do.
+
----
 +
 
 +
'''When:''' March 18, 2010, 5:00pm - 7:00pm
  
      What does a QSA really do.
+
'''What: '''Austin Security Professionals Happy Hour (Sponsored by Denim Group)
  
      What does an ASV scan really pick up.
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
      Are you really secure when you are compliant.
+
----
  
      A product neutral look at how to get the most out of your compliance push.
+
'''When:''' February 23, 2010, 11:30am - 1:00pm
  
'''Who:''' Fritz has more than five years of experience in offensive and defensive security practices and strategies. Since 2006 Fritz has been dedicated to managing PCI Data Security Standards (PCI DSS) for ControlScan as well as helping to develop products and services that are designed to make it easier for small merchants to complete and maintain compliance and long term security best practices. Fritz also authors regular security briefings on www.pcicomplianceguide.org <http://www.pcicomplianceguide.org/>  and addresses the "Ask the Expert" questions on the site.
+
'''Topic: ''' Advanced Persistent Threat - What Does it Mean for Application Security?
  
Fritz a member of the Application Security Group of the SPSP (The Society of Payment Security Professionals), a participant on the PCI Knowledge Base's Panel of Experts and is a Certified Information Systems Security Professional (CISSP).
+
Targeted attacks, slow moving malware, foreign intelligence/government sponsored hackers, corporate/industrial espionage – all fun and games? Not really. These vectors are occurring today, and the threat vector has bled into the application space. What do you have to contend with once it passes through the firewall.  
  
 +
'''Who:''' Matt Pour (Blue Coat Systems)
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
Matt is a Systems Engineer for Blue Coat Systems. Utilizing over ten years of information security experience, Matt provides subject matter expertise of ensuring security effectiveness while addressing business controls and requirements to a multitude of industries regardless of size and scope. Previous to Blue Coat Systems, Matt Pour was a Security Solutions Architect and X-Force Field Engineer for IBM ISS.  
  
'''Cost:''' Always Free
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
[http://www.owasp.org/images/9/90/Advanced_Persistent_Threats.pdf Advanced Persistent Threat - What Does it Mean for Application Security?]
  
 
----
 
----
  
'''When:''' February 24, 2009, 11:30am - 1:00pm  
+
'''When:''' February 11, 2010, 5:00pm - 7:00pm  
  
'''Topic: ''' Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data
+
'''What: '''Austin Security Executives Happy Hour (Sponsored by WhiteHat Security)
  
In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:
+
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;
+
----
  
2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and
+
'''When:''' January 26, 2010, 11:30am - 1:00pm
  
3. Compliance and Software development life cycle approaches.
+
'''Topic: ''' Reducing Your Data Security Risk Through Tokenization
  
Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?
+
The first Austin OWASP meeting of the year is on a really interesting topic that many of you have probably never thought about: Tokenization. The concept is simple...use tokens to represent your data instead of passing around the data itself. For example, why would you give a customer account representative a full credit card number when all they need to do their job is the last four digits? Using tokenization, we are able to reduce the data security risk by limiting the number of systems that actually store the data. This extremely simplifies audits for regulations like SOX, HIPAA, and PCI DSS. This presentation will cover the business drivers for data protection, what tokenization is, and how to implement it. If your organization has data to protect, then you're going to want to check out this presentation.
  
Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.
+
'''Who:''' Josh Sokol (National Instruments)
  
'''Who:''' Quincy Jackson
+
Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].
  
Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
[http://www.owasp.org/images/a/ae/Reducing_Your_Data_Security_Risk_Through_Tokenization.pptx Reducing Your Data Security Risk Through Tokenization]  
  
'''Cost:''' Always Free
+
----
 +
 
 +
'''When:''' January 14, 2010, 5:00pm - 7:00pm
 +
 
 +
'''What: '''Austin Security Executives Happy Hour
 +
 
 +
'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
  
 +
==2009==
 
----
 
----
  
'''When:''' March 26th, 2009, 5:00pm - 7:00pm  
+
'''When:''' November 17, 2009, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Tracking the progress of an SDL program: lessons from the gym
 +
 
 +
Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.
 +
 
 +
Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this presentation we’ll discuss metrics used to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally.
 +
 
 +
'''Who:''' Cassio Goldschmidt (Symantec)
 +
 
 +
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.
  
'''Topic: ''' OWASP March Happy Hour
+
Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.
  
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' February 5th, 2009, 5:00pm - 7:00pm
+
'''When:''' October 27, 2009, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Vulnerability Management In An Application Security World
 +
 
 +
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
 +
 
 +
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
 +
 
 +
'''Who:''' Dan Cornell (Denim Group)
 +
 
 +
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
  
'''Topic: ''' OWASP Live CD Release Party
+
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.
  
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' January 27, 2009, 11:30am - 1:00pm  
+
'''When:''' September 29, 2009, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' OWASP ROI: Optimize Security Spending using OWASP
 +
 
 +
Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.
 +
 
 +
'''Who:''' Matt Tesauro
 +
 
 +
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&amp;M Mays Business School. Currently, he's focused on web application security, developing a Secure SDLC and launching a two-year application security program for Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 +
[http://www.owasp.org/images/d/d6/Austin_Chapter_OWASP_ROI-mtesauro.pdf OWASP ROI: Optimize Security Spending using OWASP]
  
'''Topic: ''' Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.
+
----
  
The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk:
+
'''When:''' August 25, 2009, 11:30am - 1:00pm
 
1. The statelessness of the internet
 
  
2. How the naive attack works
+
'''Topic: ''' Threat Modeling
  
3. A mitigation strategy against this naive attack
+
In this talk, Michael will discuss Microsoft SDL Threat Modeling, how to apply it to design more secure applications and finally, will show a demo and hold a short lab exercise.  
  
4. An combined CSRF/XSS attack that defeats this mitigation strategy
+
'''Who:''' Michael Howard, PRINCIPAL Security Program Manager, Microsoft's Security Engineering Team
  
5. And finally suggestions for mitigation of the combined attack
+
Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft’s software.
  
 +
Howard began his career with Microsoft in 1992 at the company’s New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software. In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft’s next-generation web server, before moving to his current role in 2000.
  
'''Who:''' Ben L Broussard
+
Howard is an editor of IEEE Security &amp; Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and design, Howard is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and his most recent release, Writing Secure Code for Windows Vista
  
I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
[http://www.owasp.org/images/9/97/TM.pptx Threat Modeling]
  
 
----
 
----
  
'''When:''' October 28, 2008, 11:30am - 1:00pm  
+
'''When:''' July 28, 2009, 3:30pm - 5:00pm  
 +
 
 +
'''Topic: ''' Slowloris: A DOS tool for Apache
  
'''Who:''' Josh Sokol
+
Slowloris was designed and developed as a low bandwidth denial of service tool to take advantage of an architectural design flaw in Apache web servers. It was quickly picked up and used by Iranian government protesters. This speech will cover the technical issues around the design flaw, and the events prior to, during and since the release of the tool.
  
Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002.  Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments.  In his current role, Josh provides expertise in topics such as web application availability, performance, and security.  Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].
+
'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org
  
'''Topic: ''' Using Proxies to Secure Applications and More
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application.  It is a demonstration of the various types of proxy software and their uses.  We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues?  Did you know that you can use RatProxy for W3C compliance validation?  By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired. 
+
----
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''When:''' June 25, 2009, 5:00pm - 8:00pm
  
'''Cost:''' Always Free
+
'''Topic: ''' OWASP/ISSA/ISACA June Happy Hour Sponsored by VMWare!!!
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
'''Where:''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
  
 
----
 
----
  
'''When:''' September 30, 2008, 11:30am - 1:00pm  
+
'''When:''' June 30, 2009, 3:30pm - 5:00pm  
 +
 
 +
'''Topic: ''' Web 2.0 Cryptology - A Study in Failure
 +
 
 +
'''Who:''' Travis
 +
 
 +
'''Travis's Bio:''' Travis H. is an jack-of-all-trades and independent security enthusiast. He has worked in the AFCERT looking for intrusions into Air Force computers, and handled application security and cryptography issues for Paypal. He is currently a programmer for Giganews in Austin. He is also the author of an online book on security called "Security Concepts", located here:
  
'''Who:''' Josh Sokol
+
http://www.subspacefield.org/security/security_concepts.html
  
'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002.  Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments.  In his current role, Josh provides expertise in topics such as web application availability, performance, and security.  Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Topic: ''' OWASP AppSec NYC Conference 2008
+
----
  
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance.  The stairs are located on the West Side of the building, just north of the main entrance.  There is no access to the Plaza level from inside the store.
+
'''When:''' May 26, 2009, 11:30am - 1:00pm
 +
 
 +
'''Topic: ''' Clickjack This!
  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].  
+
This speech will cover clickjacking - one of the most obscure client side hacking techniques. After the speech at the world OWASP conference was canceled due to Adobe asking for more time to construct a patch, Robert Hansen never ended up doing a complete speech on the topic. This presentation will cover some of the history of how this exploit came to be, how it works, and how it eventually turned into real world weaponized code.  
  
'''Cost:''' Always Free
+
'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' August 26th, 2008, 11:30am - 1:00pm  
+
'''When:''' April 28, 2009, 11:30am - 1:00pm  
  
'''Who:''' Matt Tesauro
+
'''Topic: ''' Architecting Secure Web Systems
  
Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.
+
For this month's presentation, we diverge from the typical OWASP topics of writing secure code, testing to make sure your code is secure, and other code related topics and delve into the process of actually architecting a secure web application from the ground up. We'll start with some basic n-tier architecture (web vs app vs DB), throw in some firewall and DMZ concepts, then talk about server hardening with client firewalls (iptables), disabling services, and other techniques. Whether you're a code monkey wondering how the rest of the world works, a security guy trying to figure out what you're missing, or an auditor just trying to understand how the pieces fit together, this presentation is for you.  
  
'''Topic: ''' OWASP Live CD 2008 - An OWASP Summer of Code Project
+
'''Who:''' Josh Sokol
  
The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
+
'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog] and recently presented at the TRISC 2009 Conference.
# easy for the users to keep the tools updated
 
# easy for the project lead to keep the tools updated
 
# easy to produce releases (I'm thinking quarterly releases)
 
# focused on just web application testing - not general Pen Testing
 
  
OWASP Project Page:
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
 
  
Project Wiki:
+
[http://www.owasp.org/images/8/8b/OWASP_-_Architecting_Secure_Web_Systems.pptx Architecting a Secure Web System]
http://mtesauro.com/livecd/
 
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
----
  
'''Cost:''' Always Free
+
'''When:''' April 23rd, 2009, 5:00pm - 7:00pm
 +
 
 +
'''Topic: ''' OWASP April Happy Hour
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
  
 
----
 
----
  
'''When:''' July 29th, 2008, 11:30am - 1:00pm  
+
'''When:''' March 31, 2009, 11:30am - 1:00pm  
  
'''Who:''' Whurley and Mando
+
'''Topic: ''' PCI Compliance and Web App Security
  
William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.
+
The purpose of this presentation is to give an objective view of PCI Compliance including the good, the bad and the ugly.  
  
Mando Escamilla is the Chief Software Architect at Symbiot, Inc.  He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project.  He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.
+
Topics covered include:
  
 +
      What do an ASV really do.
  
'''Topic: ''' The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect
+
      What does a QSA really do.
  
OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.
+
      What does an ASV scan really pick up.
  
 +
      Are you really secure when you are compliant.
  
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance.  The stairs are located on the West Side of the building, just north of the main entrance.  There is no access to the Plaza level from inside the store.
+
      A product neutral look at how to get the most out of your compliance push.
  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].  
+
'''Who:''' Fritz has more than five years of experience in offensive and defensive security practices and strategies. Since 2006 Fritz has been dedicated to managing PCI Data Security Standards (PCI DSS) for ControlScan as well as helping to develop products and services that are designed to make it easier for small merchants to complete and maintain compliance and long term security best practices. Fritz also authors regular security briefings on www.pcicomplianceguide.org &lt;http://www.pcicomplianceguide.org/&gt; and addresses the "Ask the Expert" questions on the site.  
  
'''Cost:''' Always Free
+
Fritz a member of the Application Security Group of the SPSP (The Society of Payment Security Professionals), a participant on the PCI Knowledge Base's Panel of Experts and is a Certified Information Systems Security Professional (CISSP).
  
'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.
+
<br> '''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''When:''' June 24th, 2008, 11:30am - 1:00pm  
+
'''When:''' February 24, 2009, 11:30am - 1:00pm  
 +
 
 +
'''Topic: ''' Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data
 +
 
 +
In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:
 +
 
 +
1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;
  
'''Who:''' Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency
+
2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and
  
Matt's Bio:  Matt Tesauro has worked in web application development and
+
3. Compliance and Software development life cycle approaches.  
security since 2000.  He's worn many different hats, from developer to
 
DBA to sys admin to university lecturer to pen tester. Currently, he's
 
focused on web application security and developing a Secure SDLC for
 
TEA.  Outside work, he is the project lead for the OWASP SoC Live CD
 
project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project
 
  
A.J.'s Bio:  A. J. Scotka Senior Software Quality Engineer, Texas
+
Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?
Education Agency
 
As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently
 
responsible for quality reviews on design and code, software
 
configuration management process, build engineering process, release
 
engineering process, verification and validation throughout the life
 
cycle and over all quality improvement across all areas of enterprise
 
code manufacturing.
 
  
 +
Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.
  
'''Topic: ''' Securely Handling Sensitive Configuration Data.
+
'''Who:''' Quincy Jackson
  
One of the age old problems with web applications was keeping sensitive
+
Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.  
data available on a need to know basis. The classic case of this is
 
database credentials. The application needs them to connect to the
 
database but developers shouldn't have direct access to the DB -
 
particularly the production DB. The presentation will discuss how we
 
took on this specific problem, our determination that this was a
 
specific case of a more general problem and how we solved that general
 
problem. In our solution, sensitive data is only available to the
 
application and trusted 3rd parties (e.g. DBAs). We will then cover our
 
implementation of that solution in a .Net 2.0 environment and discuss
 
some options for J2EE environments.  So far, we used our .Net solution
 
successfully for database credentials and private encryption keys used
 
in XML-DSig.  Sensitive data is only available to the application and
 
trusted 3rd parties (e.g. DBAs).
 
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''Where:''' National Instruments, 11500 N Mopac, Building C  
  
 
----
 
----
  
'''When:''' May 27th, 2008, 11:30am - 1:00pm  
+
'''When:''' March 26th, 2009, 5:00pm - 7:00pm  
 +
 
 +
'''Topic: ''' OWASP March Happy Hour
 +
 
 +
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
  
'''Who:''' Nathan Sportsman and Praveen Kalamegham, Web Services Security
+
----
  
'''Topic: '''Web Services Security
+
'''When:''' February 5th, 2009, 5:00pm - 7:00pm
The concept of web services has become ubiquitous over the last few years.  Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse.  Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers.  However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology.  This presentation will first aim to identify the risks associated with web services.  We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status.  Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.
 
  
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance.  The stairs are located on the West Side of the building, just north of the main entrance.  There is no access to the Plaza level from inside the store.
+
'''Topic: ''' OWASP Live CD Release Party
  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].
+
'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info
  
 
----
 
----
  
'''When:''' April 29th, 2008, 11:30am - 1:00pm  
+
'''When:''' January 27, 2009, 11:30am - 1:00pm  
 +
 
 +
<br> '''Topic: ''' Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.
 +
 
 +
The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk:
 +
 
 +
1. The statelessness of the internet
 +
 
 +
2. How the naive attack works
 +
 
 +
3. A mitigation strategy against this naive attack
 +
 
 +
4. An combined CSRF/XSS attack that defeats this mitigation strategy
 +
 
 +
5. And finally suggestions for mitigation of the combined attack
  
'''Who:''' Mano Paul
+
<br> '''Who:''' Ben L Broussard
  
Bio
+
I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.  
Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive.
 
He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.
 
  
'''What:''' Security – The Road Less Travelled
+
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].  
 
Abstract -
 
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …
 
The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.  
 
Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.
 
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
[[#Listing of Past Meetings and Events|Back to Top]]
 +
----
  
 +
==2008==
 
----
 
----
  
'''When:''' March 25th, 2008, 11:30am - 1:00pm  
+
'''When:''' October 28, 2008, 11:30am - 1:00pm  
 +
 
 +
'''Who:''' Josh Sokol
 +
 
 +
Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].
 +
 
 +
'''Topic: ''' Using Proxies to Secure Applications and More
 +
 
 +
The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C
 +
 
 +
[https://www.owasp.org/images/f/ff/Using_Proxies_to_secure_applications_and_more.pptx Using Proxies to Secure Applications and More]
  
'''Who:''' Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax
+
----
  
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
+
'''When:''' September 30, 2008, 11:30am - 1:00pm
  
'''Topic: '''Static Analysis Techniques for Testing Application Security
+
'''Who:''' Josh Sokol
  
Static Analysis of software refers to examining source code and other software artifacts without executing them.  This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.
+
'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].  
  
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance.  The stairs are located on the West Side of the building, just north of the main entrance.  There is no access to the Plaza level from inside the store.
+
'''Topic: ''' OWASP AppSec NYC Conference 2008
  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].
+
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  
  
 
----
 
----
  
'''When:'''February 26th, 2008 - Michael Howard, Author of Writing Secure Code
+
'''When:''' August 26th, 2008, 11:30am - 1:00pm
 +
 
 +
'''Who:''' Matt Tesauro
 +
 
 +
Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.
 +
 
 +
'''Topic: ''' OWASP Live CD 2008 - An OWASP Summer of Code Project
 +
 
 +
The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
 +
 
 +
#easy for the users to keep the tools updated
 +
#easy for the project lead to keep the tools updated
 +
#easy to produce releases (I'm thinking quarterly releases)
 +
#focused on just web application testing - not general Pen Testing
 +
 
 +
OWASP Project Page: http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
 +
 
 +
Project Wiki: http://mtesauro.com/livecd/
  
'''Topic: '''Microsoft's SDL: A Deep Dive
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
 +
 
 +
----
 +
 
 +
'''When:''' July 29th, 2008, 11:30am - 1:00pm
  
In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.
+
'''Who:''' Whurley and Mando
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.  
  
 +
Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.
  
January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown
+
<br> '''Topic: ''' The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect
  
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance.  There is no access to the Plaza level from inside the store.
+
OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.  
  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].
+
<br> '''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  
  
 
----
 
----
  
'''When:''' December 4th, 2007, 11:30am - 1:00pm  
+
'''When:''' June 24th, 2008, 11:30am - 1:00pm  
 +
 
 +
'''Who:''' Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency
 +
 
 +
Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP SoC Live CD project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project
  
'''Who:''' Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)
+
A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas Education Agency As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently responsible for quality reviews on design and code, software configuration management process, build engineering process, release engineering process, verification and validation throughout the life cycle and over all quality improvement across all areas of enterprise code manufacturing.
  
'''Topic: Business Logic Flaws'''
+
<br> '''Topic: ''' Securely Handling Sensitive Configuration Data.
  
Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.
+
One of the age old problems with web applications was keeping sensitive data available on a need to know basis. The classic case of this is database credentials. The application needs them to connect to the database but developers shouldn't have direct access to the DB - particularly the production DB. The presentation will discuss how we took on this specific problem, our determination that this was a specific case of a more general problem and how we solved that general problem. In our solution, sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs). We will then cover our implementation of that solution in a .Net 2.0 environment and discuss some options for J2EE environments. So far, we used our .Net solution successfully for database credentials and private encryption keys used in XML-DSig. Sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs).  
  
This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.
+
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels).  There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
----
  
 +
'''When:''' May 27th, 2008, 11:30am - 1:00pm
  
'''November 27th, 2007 Austin OWASP chapter meeting''' - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)
+
'''Who:''' Nathan Sportsman and Praveen Kalamegham, Web Services Security  
  
Robert will be talking about different ways to de-anonymize  and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.
+
'''Topic: '''Web Services Security The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.  
  
Whole Foods, 550 Bowie Street, Austin, TX 78703.  Come to the Whole Foods plaza level and sign in with receptionist.
+
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].
 
  
 
----
 
----
  
'''October 2007 Austin OWASP chapter meeting ''' October 30th, 11:30am - 1:00pm at National Instruments
+
'''When:''' April 29th, 2008, 11:30am - 1:00pm  
"Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.  
+
 
 +
'''Who:''' Mano Paul
 +
 
 +
Bio Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President &amp; CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive. He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training &amp; Education.
 +
 
 +
'''What:''' Security – The Road Less Travelled
 +
 
 +
Abstract - What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side. Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.  
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C
  
 
----
 
----
  
'''September 2007 Austin OWASP Chapter September 2007 ''' - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin
+
'''When:''' March 25th, 2008, 11:30am - 1:00pm
"Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence.
+
 
"Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking.  
+
'''Who:''' Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax
"Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.  
+
 
 +
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
 +
 
 +
'''Topic: '''Static Analysis Techniques for Testing Application Security
 +
 
 +
Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.  
 +
 
 +
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.  
  
 
----
 
----
  
'''August 2007 Austin OWASP chapter meeting''' - '''8/28,''' 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.
+
'''When:'''February 26th, 2008 - Michael Howard, Author of Writing Secure Code
 +
 
 +
'''Topic: '''Microsoft's SDL: A Deep Dive
 +
 
 +
In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].  
 +
 
 +
<br> January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown
  
 +
'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703.
 +
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 
----
 
----
  
'''July 2007 Austin OWASP chapter meeting''' - '''7/31,''' 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery
+
==2007==
 +
----
 +
 
 +
'''When:''' December 4th, 2007, 11:30am - 1:00pm
 +
 
 +
'''Who:''' Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)
 +
 
 +
'''Topic: Business Logic Flaws'''  
 +
 
 +
Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.
 +
 
 +
This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.
 +
 
 +
'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
 +
 
 +
<br> '''November 27th, 2007 Austin OWASP chapter meeting''' - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)
 +
 
 +
Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.
 +
 
 +
Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].  
  
 
----
 
----
  
'''June 2007 Austin OWASP chapter meeting''' - 6/26, 11:30am - 1:00pm at National Instruments.
+
'''October 2007 Austin OWASP chapter meeting ''' October 30th, 11:30am - 1:00pm at National Instruments "Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.  
[http://www.stokescigar.com James Wickett] from Stokes [http://www.stokescigar.com Cigar] Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.
 
  
 
----
 
----
  
'''May 2007 Austin OWASP chapter meeting''' - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.  
+
'''September 2007 Austin OWASP Chapter September 2007 ''' - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin "Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence. "Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking. "Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.  
  
 
----
 
----
  
'''April 2007 Austin OWASP chapter meeting''' - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)
+
'''August 2007 Austin OWASP chapter meeting''' - '''8/28,''' 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.  
 +
 
 +
[https://www.owasp.org/images/d/db/The_OWASP_Testing_Framework_Presentation.ppt OWASP Testing Framework]
  
 
----
 
----
  
'''March 2007 Austin OWASP chapter meeting''' - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
+
'''July 2007 Austin OWASP chapter meeting''' - '''7/31,''' 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery
  
 
----
 
----
  
[[January 2007 Austin Chapter Meeting]] - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.
+
'''June 2007 Austin OWASP chapter meeting''' - 6/26, 11:30am - 1:00pm at National Instruments. [http://www.stokescigar.com James Wickett] from Stokes [http://www.stokescigar.com Cigar] Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.  
  
 
----
 
----
  
<b>December Meeting</b> - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!
+
'''May 2007 Austin OWASP chapter meeting''' - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.  
  
 
----
 
----
  
[[November 2006 Austin Chapter Meeting]] - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.
+
'''April 2007 Austin OWASP chapter meeting''' - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)
  
 
----
 
----
  
[[October 2006 Austin Chapter Meeting]] - 10/31 - Boo!
+
'''March 2007 Austin OWASP chapter meeting''' - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].
  
 
----
 
----
  
[[September 2006 Austin Chapter Meeting]] - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White
+
[[January 2007 Austin Chapter Meeting]] - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.
  
 +
[[#Listing of Past Meetings and Events|Back to Top]]
 
----
 
----
  
[[August 2006 Austin Chapter Meeting]] - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments]. ''Hint:'' It is on your left on Mopac if you were heading up to Fry's from Austin.
+
==2006==
 +
----
 +
'''December Meeting''' - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!
  
 
----
 
----
  
'''Austin OWASP chapter kickoff meeting''' - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)
+
[[November 2006 Austin Chapter Meeting]] - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.
 +
 
 +
----
  
==== Presentation Archives ====
+
[[October 2006 Austin Chapter Meeting]] - 10/31 - Boo!
  
The following presentations have been given at local chapter meetings:
+
----
  
* OWASP ROI: Optimize Security Spending using OWASP  Austin OWASP Chapter September 2009 [http://www.owasp.org/images/d/d6/Austin_Chapter_OWASP_ROI-mtesauro.pdf Matt Tesauro Presentation]
+
[[September 2006 Austin Chapter Meeting]] - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White
  
* Threat Modeling August 2009 [http://www.owasp.org/images/9/97/TM.pptx Michael Howard Presentation]
+
----
  
* Architecting a Secure Web System  Austin OWASP Chapter April 2009 [http://www.owasp.org/images/8/8b/OWASP_-_Architecting_Secure_Web_Systems.pptx Josh Sokol Presentation]
+
[[August 2006 Austin Chapter Meeting]] - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments]. ''Hint:'' It is on your left on Mopac if you were heading up to Fry's from Austin.
  
* Using Proxies to Secure Applications and More  Austin OWASP Chapter October 2008 [https://www.owasp.org/images/f/ff/Using_Proxies_to_secure_applications_and_more.pptx Josh Sokol Presentation]
+
----
  
* OWASP Testing Framework  Austin OWASP Chapter August 2007 [https://www.owasp.org/images/d/db/The_OWASP_Testing_Framework_Presentation.ppt Josh Sokol Presentation]
+
'''Austin OWASP chapter kickoff meeting''' - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)
  
* Single Sign On (7/27)
+
[[#Listing of Past Meetings and Events|Back to Top]]
  
* [http://www.threatmind.net/papers/franz-basic-j2ee-tools-owasp-austin.pdf A Rough Start of a Toolset for Assessing Java/J2EE Web Apps] (7/27) - [[MattFranz]] discussed some custom Python tools he has been writing for conducting security testing of a Struts (and other Java) web applications.
+
=Chapter Leadership=
  
* [http://www.owasp.org/index.php/Image:DenimGroup_AJAXSecurityHereWeGoAgain_Content_20060829.pdf AJAX Security: Here we go again] - Dan Cornell from [http://www.denimgroup.com/ Denim Group] discussed security issues in the one the popular Web 2.0 technlogy (8/29)
+
==Our Chapter Leadership==
  
==== Austin OWASP Whitepapers ====
+
{| class="wikitable"
* Whitepapers go here
+
|-
 +
! scope="col" style="width: 20%; font: bold;" |''' Chapter Leadership Board Member Role'''
 +
! scope="col" style="width: 50%;" |Responsibilities
 +
! scope="col" |Person(s)
 +
|-
 +
|Chapter Leader
 +
|The central point of contact for the Chapter and responsible to the OWASP Board. Serves as Chapter Leader and Chapter board chair.
 +
|Kyle Smith
 +
|-
 +
|Sponsor Coordinator
 +
|Serves as the primary liaison between the Chapter and all sponsors, and solicits sponsors for the Chapter meetings, happy hours, LASCON, and other events.
 +
|Tiana Chandler
 +
|-
 +
|Speaker Coordinator
 +
|Seeks and schedules speakers for monthly Chapter meetings, LASCON, and other events.
 +
|Kate Brew
 +
|-
 +
|Education Coordinator
 +
|Coordinates all of the Chapter-sponsored educational offerings, to include the weekly Study Group and LASCON training.
 +
|Matt Pardo
 +
|-
 +
|PR/Marketing Coordinator
 +
|Provides marketing of LASCON and other Chapter events.
 +
|
 +
Ryan Murphy
 +
|-
 +
|Membership and Project Coordinator
 +
|Coordinates activities to grow individual and corporate memberships. Acts as project manager for events, such as LASCON, tracking assigned tasks and reporting progress.
 +
|Paul "griff' Griffiths
 +
|-
 +
|Events Committee
 +
|All of the Chapter Leadership Coordinators are responsible for coordinating aspects of events, including the annual Lonestar Application Security Conference (LASCON). The Chapter Leader acts as the committee chair.
 +
|Chapter Leadership Coordinators
 +
|-
 +
|Finance
 +
|The Chapter Leader is designated as primary person responsible for Chapter budget and Chapter expense approvals. 
 +
The previous Chapter Leader is designated as secondary approver, who also will approve any expenses submitted by the Chapter Leader.
 +
|
 +
*Kyle Smith - Primary
 +
*Tiana Chandler - Secondary
 +
|-
 +
|Advisory Board Members
 +
|Made up of previous Chapter leaders who provide mentoring, coaching, and assistance to the board and contribute to the Chapter’s success.
 +
|
 +
*Tiana Chandler
 +
*Kyle Smith
 +
*David Hughes
 +
*James Wickett
 +
*Josh Sokol
 +
|}
  
 +
=Sponsorship Opportunities=
  
==== Austin OWASP Chapter Leaders ====
+
==Sponsorship Opportunities with our Chapter==
[mailto:[email protected] Josh Sokol, President] - (512) 683-5230
 
  
[mailto:wickett@gmail.com James Wickett, Vice President] - (512) 989-6808
+
The Austin OWASP Chapter can offer your company several sponsorship opportunities. If you are interested in taking advantage of any of these opportunities, please contact [mailto:tiana.chandler@owasp.org Tiana Chandler], the Austin OWASP Chapter President.
  
[mailto:[email protected] Rich Vazquez, Communications Chair] - (512) 989-6808
+
===Austin Security Professionals Happy Hour Sponsorship===
  
[mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair] - (512) 637-9824
+
The Austin OWASP Chapter organizes a monthly Austin Security Professionals Happy Hour event along with the Capitol of Texas ISSA Chapter. This event has historically drawn around 40 of Austin's finest security professionals for networking and more. Your sponsorship of this event includes appetizers and drinks for the attendees.  Feel free to pass out business cards and network just like you would anywhere else. You'll find no better opportunity to get your name in front of 40+ security professionals for around $750 - $1000.
  
==== Sponsorship Opportunities ====
+
===OWASP Meeting Lunch Sponsorship===
The Austin OWASP Chapter can offer your company three unique sponsorship opportunities.  If you are interested in taking advantage of any of these opportunities, please contact [mailto:[email protected] Josh Sokol], the Austin OWASP Chapter President.
 
  
'''Opportunity #1 - Austin Security Professionals Happy Hour Sponsorship'''
+
Our monthly Austin OWASP meetings are held during a person's typical lunch hours from 11:30 AM to 1:00 PM. For your sponsorship of around $750 we can arrange food and drinks for up to 60 attendees. In exchange for your sponsorship, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the lunch sponsor in all e-mail communications about the meeting.
  
The Austin OWASP Chapter organizes a monthly Austin Security Professionals Happy Hour event along with the Capitol of Texas ISSA Chapter.  This event has historically drawn around 30 of Austin's finest security professionals for networking and more.  Your sponsorship of this event includes appetizers and drinks for the attendees.  We typically do $100 in appetizers and $200 in drink tickets.  By using drink tickets, we ensure that our sponsors are able to interact with every attendee who wants a drink.  Feel free to pass out business cards and network just like you would anywhere else.  You'll find no better opportunity to get your name in front of 30+ security professionals for around $300.
+
===OWASP Meeting Presenter Sponsorship===
  
'''Opportunity #2 - OWASP Meeting Lunch Sponsorship'''
+
Although OWASP is a non-profit organization, we strive to provide our members with the best presenters we possibly can. While the Austin area has tons of security talent, sometimes it's worthwhile to reach beyond our borders to pull in more awesome presenters. In exchange for covering travel expenses for these presenters, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the presenter sponsor in all e-mail communications about the meeting.
  
Our monthly Austin OWASP meetings are held during a person's typical lunch hours from 11:30 AM to 1:00 PM.  For your sponsorship of around $250 we can arrange food and drinks for up to 50 attendees.  In exchange for your sponsorship, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers.  You'll also receive mention of being the lunch sponsor in all e-mail communications about the meeting.
+
===Lonestar Application Security Conference (LASCON) Sponsorship===
  
'''Opportunity #3 - OWASP Meeting Presenter Sponsorship'''
+
The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
  
Although OWASP is a non-profit organization, we strive to provide our members with the best presenters we possibly can.  While the Austin area has tons of security talent, sometimes it's worthwhile to reach beyond our borders to pull in more awesome presenters.  In exchange for covering travel expenses for these presenters, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers.  You'll also receive mention of being the presenter sponsor in all e-mail communications about the meeting.
+
Being a non-profit organization, we rely mostly on sponsorships to help us provide the funding to make LASCON successful.
  
The Austin OWASP Chapter would like to thank [http://www.whitehatsec.com WhiteHat Security] and [http://www.expandingsecurity.com Expanding Security] for their sponsorships during the past year.
+
[https://lascon.org/become-a-sponsor/ Become a LASCON Sponsor]
  
==== Local News ====
+
__NOTOC__ <headertabs></headertabs>
  
''If a link is available, click for more details on directions, speakers, etc. You can also review [http://lists.owasp.org/pipermail/owasp-austin/ Email Archives] to see what folks have been talking about''
+
{{PutInCategory}}
<paypal>Austin</paypal>
+
  
__NOTOC__
+
[[Category:United States]]
<headertabs/>
 
[[Category:Texas]]
 

Latest revision as of 23:17, 12 January 2020

OWASP Austin

Welcome to the Austin chapter homepage. The chapter leadership includes: Kyle Smith, Chapter Leader (see Chapter Leadership for full listing of Austin Chapter leadership team).
Join OWASP Austin mailing list to receive notifications of local events.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG



Listing of Upcoming Events

Austin Chapter Meeting, January 28, 2020

When: Tuesday, January 28th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: OWASP Austin CryptoParty!
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Please contact [email protected] to be added to the list!
Speaker: Josh Sokol and others

RSVP: https://owasp-austin-2020-january.eventbrite.com

Back to Top

Austin Security Professionals Happy Hour sponsored by Sonatype and NowSecure, February 13, 2020

When: Thursday, February 13th, 5:30 pm - 7:30 pm

Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758 (across from the iPic Theaters). We meet in the separate room inside the bar, to the left as you enter. Parking: Park in either parking garages to the left or right of iPic (map of Domain).

What: The Austin Security Professionals Happy Hour is a monthly event coordinated by the Austin OWASP and Capital of Texas ISSA Chapters and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation.

Sponsor: Sonatype and NowSecure

Back to Top

Our Study Groups

OWASP Austin Study Group

The OWASP Austin Study Group is intended to provide an organized gathering of like-minded IT professionals who want to learn more about application security. This is done through mini-discussions, demos, presentations, and series of meetings to cover more involved topics (i.e. book topics). Generally the topics will be participant-led, meaning that attendees will volunteer their time to present or lead a discussion, whether a one-time presentation of a topic they wish to review or need help with, or walk through topics of a particular chapter of a book being covered. There will still be OWASP leadership involved with scheduling and such, but the idea is to get a better “hands-on” approach to create a more productive learning environment. We learn more when we are involved.


Windows PowerShell

The current study group is currently doing CTFs and other online events.

Additional Information: If any questions related to the study group, please contact the Education Coordinator, Matt Pardo, matt (dot) pardo (at) owasp (dot) org.


Previous Study Group Topics

  • "Certified Cloud Security Professional (CCSP)" study using the CSP Certified Cloud Security Professional All-in-One Exam Guide (1st Edition) book (Slack #cloud_security_study)
  • "Certified Ethical Hacker" book
  • "Visible Ops Security" book by Gene Kim
  • "Metasploit: The Penetration Tester’s Guide” book by David Kennedy
  • "Wireshark 101: Essential Skills for Network Analysis" book by Laura Chappell and Gerald Combs
  • “Web Application Defender's Cookbook: Battling Hackers and Protecting Users” book by Ryan C. Barnett and Jeremiah Grossman
  • “The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws” book by Dafydd Stuttard and Marcus Pinto
  • "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" book (using Security Onion) by Richard Bejtlich
  • "The Browser Hacker's Handbook" book by Wade Alcorn, Christian Frichot, and Michele Orru
  • "Snapshot - Reading and Treating People Right the First Time" book by Dan Korem

Listing of Past Meetings and Events

2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006


2020

Austin Security Professionals Happy Hour sponsored by Pure Storage, January 9, 2020[edit | edit source]

When: Thursday, January 9th, 5:30 pm - 7:30 pm

Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758 (across from the iPic Theaters). We meet in the separate room inside the bar, to the left as you enter. Parking: Park in either parking garages to the left or right of iPic (map of Domain).

What: The Austin Security Professionals Happy Hour is a monthly event coordinated by the Austin OWASP and Capital of Texas ISSA Chapters and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation.

Sponsor: Pure Storage
Here at Pure Storage, we know security isn’t a single-point solution that you buy and implement – it’s an ongoing effort that comprises people, processes, policies and technologies that work together to secure the enterprise. We help make that easier for you by integrating two fundamental features into our systems. First, we secure data at rest with Federal Information Processing Standards (FIPS) 140-2-certified Advanced Encryption Standard (AES) 256. The management of these encryption keys is completely self-contained and requires no external manipulation. Even more importantly, the encryption process is in-line with the data processing, and has no impact to performance. Second, we monitor access and functions based on specific account privileges (RBAC), restrict external connections to the system and require complex passwords. All of this has been certified using the most stringent government guidelines, and resulted in our National Information Assurance Partnership (NIAP) Common Criteria Certification.Pure Storage will have a drawing for a $100 gift card ... must be present to win.

2019


LASCON X

When: Tuesday & Wednesday, October 22-23, 2019 (Pre-Conference Training), Thursday & Friday, October 24-25, 2019 (Conference Sessions)

Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

We had a great time celebrating our 10th year anniversary of LASCON. Many thanks to those who attended!

Schedule

Videos of presentations (to be made available soon)

Back to Top

OWASP Austin Chapter Meeting, September 24, 2019

When: Tuesday, September 24th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices

OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each scoped to the type of client obtaining authorization and the type or types of resource owners that must grant access. Diverging from these defined scopes can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.

Speaker: Pak Foley

Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular, he has spent much of his time seeking out and mitigating vulnerabilities from misimplemented OAuth solutions and contributed to the open source Rails OAuth provider, Doorkeeper. His passion for securing web applications has prompted his recent move from IAM to security.

Zoom Video

Back to Top

Austin Security Professionals Happy Hour sponsored by Synack, September 12, 2019

When: Thursday, September 12th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: Synack

Back to Top

OWASP Austin Chapter Meeting, August 27, 2019

When: Tuesday, August 27th @ 11:45 AM - 1:00 PM

Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin TX 78757

Title: A Standards-Based Approach to Assessing Your Organization's Cybersecurity Maturity

We were tasked with creating a roadmap for the National Instruments Information Security Program. While we had previously used a Gartner Maturity Model to figure out how far along our organization was, we found their recommendations to be too high level to define an actionable roadmap. After some discussion, we determined that we could use the NIST Cybersecurity Framework to not only assess our maturity, but also define risk in our environment, and create a roadmap. This talk will not only show you how we did it, but how you can do it too!

Speaker: Josh Sokol and Alex Polimeni

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and recently completed a four year term serving on the OWASP Global Board of Directors.
Alex Polimeni runs the IT Compliance program at National Instruments. He gave his first security talk at BSides Austin in 2019 and is excited about sharing his experience with the OWASP crowd. He is a former boxer and once got stuck in a cave.

Zoom Video

Back to Top

OWASP Austin Chapter Meeting, July 30, 2019

When: Tuesday, July 30th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Data Loss Prevention

Data is being produced and consumed at an exponentially increasing rate by organizations and individuals. Can firewalls truly prevent the loss, misuse, or unauthorized access of the sensitive data? What are the standard methods for Data Loss Prevention? Who needs them? Are there any methods overlooked or underutilized? Why should a DLP strategy be the top priority for the organization?.

Speaker: Shirish Patil

Shirish Patil has over 20 years of experience leading and implementing enterprise data management and architecture solutions for public and private sector organizations. His focus has been on enterprise wide information and data management strategy, data architecture, data governance, data quality, data modeling, database performance and business intelligence capabilities. Shirish is based in Austin, Texas with vast experience in IT and management consulting, has been leveraging data, technologies and common sense to create strategies and solutions to achieve organizational goals for clients. . Shirish is a consulting Lead Enterprise Data Architect in Advanced Digital Technology and Analytics group at Grant Thornton in Austin TX on defining their Enterprise Information and Data Management Strategy for short term and long term. As a Lead Enterprise Data Architect at Sitek Inc., an IT consulting and Services firm, Shirish has designed and architected several data-centric solutions for Texas Health and Human Services Commission (HHSC) and Duke Energy. The solutions were wide ranged starting from basic database designs to laying the foundation for application scalability to enterprise wide data initiatives and strategy for one of the largest Integrated Eligibility application in United States. Previous to engaging with Sitek Inc., Shirish has consulted for Verizon Wireless and Deloitte. Before his time with these organizations, Shirish has worked for European analytics and regulatory reporting firm FRSGlobal and major US lending company Mortgage Cadence through their partner firms. Shirish developed and managed regulatory reports, database platform migration and enhanced performance of the database design for these organizations and was recognized for the leadership and ability to execute with innovative approaches to database management. Shirish has presented at many international conferences as a keynote speaker on data management and data security topics. He currently serves on Editorial Board, Technical Program Committee and Reviewer for several international journals and conferences on Databases and Data Mining, Database Management Systems, Computer Science, Cyber Security, Information Technology and Software Engineering.

Zoom Video

Back to Top

Austin Security Professionals Happy Hour sponsored by Contrast Security, July 11, 2019

When: Thursday, July 11th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759.

Sponsor: Contrast Security

Back to Top

OWASP Austin Chapter Meeting, June 25, 2019

When: Tuesday, June 25th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Passwords are Secure

Do passwords really work? Can they? What are the alternatives? This talk will be a conversation about alternatives, and an open interchange of ideas. Everyone knows passwords are very difficult for users to deal with.

Speaker: Dovell Bonnett – “The Password Guy”

Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is an Identity Management solution that combines Multi-Factor Authentication and enterprise password management. Power LogOn is used by corporations, hospitals, educational institutions, police departments, government agencies, and more around the world.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity and his new social media column is the Guardians of the Gateway..

Zoom Video

Back to Top

OWASP Austin Chapter Meeting, May 28, 2019

When: Tuesday, May 28th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Schrodinger's SOC - The Human Element of Information Security

People are what drive security, elements of that include: salary, innovation, mission, education and peace of mind. Security as a career field is exhausting, even straining, leaders in these spaces need to ask and listen to their practioners. Anecdoctally: I've witnessed security organizations ignored, however praised by leadership for their work. Thus, does the security operation exist? Or is too much of a cost center? How can leaders utilize their security assets for organizational and personnel growth? How can the security worker look towards a better work/life balance?

Speaker: Ricky Banda

Security professional with 8 years of experience in the field, 12 IT/Security certifications, 25 years old. Professional career began as a DoD intern for the 24th Air Force at age 17, due to success with the Cyber Patriot program. Recognized by the state of Texas, and outspoken volunteer for public education cybersecurity initiatives. Specialty in incident handling, security architecture, and forensic analysis.

Zoom Video

Back to Top

Austin Security Professionals Happy Hour sponsored by Qualys, May 9, 2019

When: Thursday, May 9th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: Qualys

Back to Top

OWASP Austin Chapter Meeting, April 30, 2019

When: Tuesday, April 30th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Securing AWS: A Real-World Case Study

Using cloud first governance driven approach to reduce and mitigate risks managing privileged access and identities in an AWS environment, we’ll review a real world example how a Fortune 500 company how they perform:
  • Management of privileged access to AWS workloads
  • Real-time monitoring and enforcement of baseline security policies on their AWS infrastructure
  • Access visibility’ of federated identities to AWS Objects’ on a periodic basis with continuous compliance controls
  • Periodic certification process for critical resources hosted in their AWS ecosystem to ensure only authorized individuals have access to their AWS ecosystem
  • AWS Role lifecycle management and governance

Speaker: Diana Volere

Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to help them derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work she loves travel, gastronomy, sci-fi, and most other activities associated with being a geek.

Zoom Video

Back to Top

OWASP Austin Chapter Meeting, March 26, 2019

When: Tuesday, March 26th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Browser Hardening, Personal Security and Privacy Measures

In this day and age, it is becoming increasingly difficult to stay secure and private online. In this talk, we will show you how to harden your browser, along with a set of best practices aimed at improving one's security and privacy.

Speaker: Héctor Quartino

Héctor is the manager of the Product Security Engineering team at Oracle+NetSuite. He has been a software developer for more than 15 years in multiple technologies (Java, .NET and Web).

Back to Top

OWASP Austin Chapter Meeting, February 26, 2019

When: Tuesday, February 26th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Angular for AppSec Professionals

One of the most popular web frameworks is Angular. While you don't need to become an expert in new JavaScript frameworks to be able to conduct successful assessments of Angular applications, knowing the fundamentals and building blocks of that framework can definitely give you an advantage during the initial phases of an application security assessment. This talk aims to introduce application security professionals to the basics of AngularJS and Angular applications from a security standpoint. We will also demonstrate how to dynamically debug Angular code from the browser console. This allows us to change the behavior on an application by manipulating Angular components. With that knowledge in hand, we can start conducting a more in-depth analysis of Angular based applications.

Speaker: Alex Useche

Alex is an Application Security Consultant at nVisium and has over 12 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked with and architected mobile and web applications in a wide range of languages and frameworks, including Angular, .NET and Django. While his expertise is in application security, Alex also has experience conducting penetration tests of internal and external networks. In his previous position, Alex led several projects aimed at building secure coding and DevOps processes for a mid-sized consultancy agency, as well as automating security analysis tasks. Alex has a Bachelors in Information Technology and a Masters in Software Engineering. He has also conducted and published research on artificial intelligence technologies. Alex is actively working on developing security tools written in Go and participating in various bug bounties.

Back to Top

Austin Security Professionals Happy Hour sponsored by Secure | Austin, February 7, 2019

When: Thursday, February 7th, 6:00 pm - 8:30 pm

Where: 77º Rooftop Bar, 11500 E Rock Rose Ave, Austin, TX 78758

Sponsor: Secure | Austin.

Back to Top

OWASP Austin Chapter Meeting, January 29, 2019

When: Tuesday, January 29th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: OWASP Austin CryptoParty!

  • Introduction (Josh Sokol)
  • Phone as Security: the trifecta of Signal, Password Manager, and MFA (Dan Ehrlich)
  • Hardware Security Keys (Ryan Breed)
  • You are the captain of your Data (Shirish Patil)

Back to Top


2018


LASCON 2018

When: Tuesday & Wednesday, October 23-24, 2018 (Training Days), Thursday & Friday, October 25-26, 2018 (Conference Sessions)

Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.

Presentations and other information

Back to Top

OWASP Austin Chapter Meeting, September 25, 2018

When: Tuesday, September 25th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Scaling Your Cyber Security Threat Modeling

There are two schools of thought around threat modeling. One school advocates the creation of attack trees and data flow diagrams. This requires extensive, cross-functional, security skills and is not a scalable approach. The other school encourages organic insertion of defenses based only on current context without “boiling the ocean”. This lack of systems thinking leaves applications vulnerable as exploits in a weaker component can open the door to critical systems.

Part of the problem is threat modeling today is largely an art. We need to inject more science in this domain and derive a repeatable and auditable approach that maps to risk. Such a model should abstract away the non-scalable elements and still provide a high degree of assurance in today’s faster velocity business context.

This presentation will outline a threat modeling framework that abstracts traditional methods into systems, data, and people components. You will come away with an approach that takes away some of the scalability problems of traditional threat modeling, yet provides sufficient rigor and systems thinking to help manage risk.

Speaker: Pranoy De - Software Engineer

Pranoy currently works as a backend developer at Security Compass, helping to develop industry-leading application security products. Over the years, Pranoy has taken on a variety of roles, which included working as a software consultant, working as a network engineer, and writing software for the VFX industry. As a network engineer, Pranoy has primarily spent his time developing and conducting planned DDoS attacks for companies testing their defenses. This was his first position in the world of cybersecurity, and it eventually lead to his current role in application security.

Vimeo

Back to Top

Austin Security Professionals Happy Hour, September 13, 2018 sponsored by LOG-MD

When: Thursday, September 13th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: Thanks to our last-minute sponsor, Michael Gough with LOG-MD.

Back to Top

OWASP Austin Chapter Meeting, August 28, 2018

When: Tuesday, August 28th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Deploying a Secure NodeJS app with Docker and Kubernetes

Learn how to secure a NodeJS application from development to production. We will walk you through best practices of developing a NodeJS application with Docker and deploying it with Kubernetes while building security into each step of the process.

Speaker: Brett Stewart

Brett Stewart is Co-Founder and CTO of truFable. He has been a leader in the startup scene, previously serving as the lead software architect and advisor to CrowdFunder.com. Brett has consulted for some of the top brands in the tech and media industry and has spoken at several DevOps and security events. He works with organizations such as WeWork and Bunker Labs, assisting Veterans looking to take their tech startups to the next level.

Vimeo

Back to Top

OWASP Austin Chapter Meeting, July 31, 2018

When: Tuesday, July 31st @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Introduction to Electron Security

Electron allows developers to build cross platform desktop apps with JavaScript, HTML, and CSS. Electron is a framework for creating native applications with web technologies. More and more companies such as Slack, Microsoft, and Docker have adopted Electron for desktop applications. This talk will go over the basics and the security implications.

Speaker: Marcus J. Carey

Marcus J. Carey is the founder and CEO of Threatcare. He is a hacker who helps organizations build, measure, and maintain cybersecurity programs. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA).

Vimeo

Back to Top

Austin Security Professionals Happy Hour, July 12, 2018 sponsored by Rapid7

When: Thursday, July 12th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, June 26, 2018

When: Tuesday, June 26th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: The State of DevSecOps

Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?

Speakers: Ernest Mueller and James Wickett

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by SecureWorks, June 14, 2018

When: Thursday, June 14th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: SecureWorks

Back to Top

OWASP Austin Chapter Meeting, May 29, 2018

When: Tuesday, May 29th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Trust: Designing Privacy, Consent, & Security into Your Products

Most software today collects and tracks as much data as possible with no concern for privacy or user consent. Consumers and regulations are starting to demand change. It's time to focus on building trust with our users. Our products should collect only what data is necessary, should always receive consent before collecting data, and should have proper security in place to protect collected data.

Speaker: Taylor McCaslin

Taylor McCaslin is a multi-disciplinary technologist and Product Manager living in Austin, Texas. He currently works as a Mobile Product Manager at Duo Security. Taylor is an advocate and defender of privacy, consent, and inclusion.

Taylor graduated from The University of Texas at Austin, where he studied business, theatre, computer science, and digital art & media. For the past 6 years, he’s worked at enterprise-scale, hyper-growth technology companies including WP Engine, Indeed.com, and Bazaarvoice. Taylor also enjoys volunteering with local human rights and LGBTQ organizations around central Texas.

https://www.taylormccaslin.com/
https://www.linkedin.com/in/taylormccaslin
https://twitter.com/digital_SaaS

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by DirectDefense, May 10, 2018

When: Thursday, May 10th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: DirectDefense

Back to Top

OWASP Austin Chapter Meeting, April 24, 2018

When: Tuesday, April 24th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Cloud Jacking

Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.

Speaker: Bryan McAninch

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Cisco, April 12, 2018

When: Thursday, April 12th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: Cisco

Back to Top

OWASP Austin Chapter Meeting, March 27, 2018

When: Tuesday, March 27th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Cryptocurrencies - More than just bubbles, money and Dogecoins

Speaker: Arthur Kendrick

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Critical Start and Mimecast, March 7, 2018

When: Wednesday, March 7th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Co-sponsors: Critical Start and Mimecast

Back to Top

OWASP Austin Chapter Meeting, February 27, 2018

When: Tuesday, February 27th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: DevSecOps Unplugged (Results from our latest research on DevSecOps)

There is a confluence of forces that disrupt the ability for organizations to implement DevSecOps effectively. We continue to increase our dependence on software but teams are still relatively immature in developing securely. Our systems continue to grow exponentially complex. With IoT starting to take off, there is no clear industry vision for security these devices. Cybersecurity threats continue to rise. Even the most diligent teams find themselves subtly gaining technical debt because they are unable to do the job right.

This impact is felt across industries: telecommunications, financial, software development, transportation, and medical just to name a few. So what is our response as security professionals? We have software tools and databases like OWASP Top 10, CWE/CVE, SANS Top 25 and so on. But what we need is a set of patterns and anti-patterns on implementing DevSecOps.

Our talk will highlight what we’ve observed in conducting research from Tier 1 peer reviewed articles from 2016 to the present. We will present what seems to be emerging as a set of best practices as well as anti-patterns in DevSecOps.

Speaker: Altaz Valani

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by RSA, February 8, 2018

When: Thursday, February 8th, 5:00 pm - 7:00 pm

Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759

Sponsor: RSA

Back to Top

OWASP Austin Chapter Meeting, January 23, 2018

When: Tuesday, January 23rd @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: CryptoParty

In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear.
To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.

Speakers: Josh Sokol, Bankim Tejani, Dave Sanford, David Vas, Michael Marotta, and Nate Sanders

Vimeo

Presentation slides:

Back to Top


2017


LASCON 2017

When: Tuesday & Wednesday, October 24-25, 2017 (Training Days), Thursday & Friday, October 26-27, 2017 (Conference Sessions)

Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.

Presentations and other information

Back to Top

OWASP Austin Chapter Meeting, September 26, 2017

When: Tuesday, September 26th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: How to create Purple Team Exercises, using the Cyber Kill Chain and Extended CKC as a framework

Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. You don’t necessarily need a ‘red team’, anyone can do it. This talk will show how to build and plan cyber exercises, using the Cyber Kill chain and Extended Cyber Kill Chain as a framework.

Speaker: Haydn Johnson

Back to Top

Austin Security Professionals Happy Hour, September 14, 2017

When: Thursday, September 14th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758

Sponsor: Contrast Security

Back to Top

OWASP Austin Chapter Meeting, August 29, 2017

When: Tuesday, August 29th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs

You can ignore the Blockchain hype for identity solutions, it is superb marketing; but suboptimal technology. You can also ignore biometrics for a spell. Instead, the real breakthroughs, especially in authentication, will be based on elegant math and crypto, e.g., Zero-Knowledge Proofs (ZKP). These have the added benefit of being privacy-preserving, and amenable to user control of identity attributes. ZKP has been identified as a category for many other solutions in the future, not just identity. Conceived at MIT in 1985 by Shafi Goldwasser, ZKP is still young. You will see it in many other contexts as appreciation and recognition evolves.

Speaker: Clare Nelson, CISSP, CIPP/E

Clare's focus combines security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of EU regulations including GDPR and PSD2.
Clare’s early technical background includes software development of encrypted TCP/IP variants for NSA. She has held leadership positions in product management, marketing, and technology for companies including EMC2, Dell, Novell, and TeaLeaf Technology (IBM).
Clare is a co-founder of the mentoring organization, C1ph3r_Qu33ns. She headed ClearMark Consulting for 14 years, and she is currently Director, Office of the CTO at AllClear ID. She has a B.S. in Mathematics from Tufts University, and is a lifelong fitness enthusiast.

Vimeo (apologies for the low audio)

Back to Top

Austin Security Professionals Happy Hour, August 10, 2017

When: Thursday, August 10th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, July 25, 2017

When: Tuesday, July 25th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Frontline Web App Security

According to the Verizon DBIR (Data Breach Investigation Report) for 2016, web application attacks are the #1 source of data breaches. Web applications account for only 8 percent of overall reported incidents. However, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
With those threats in mind, it has never been more important to ensure that companies have visibility into what is happening with their web apps. The most effective way to address application flaws and preemptively block unknown attacks is to have a close relationship with your web application firewall.
Static, signature based blocking is not enough to address never before seen attacks. In this talk, we will walk through scenarios that we have observed, talk about coding practices that enable your web app to be secured, and describe the steps that are taken to defend against critical web applications attacks.

Speakers: Paul Scott and Jason Payne

Paul Scott is an OWASP Houston chapter leader and the Manager of Alert Logic’s Web Application Security Team. Jason Payne ran the Alert Logic Global Security Operations Center for nearly a decade and is now engineering solutions to defend systems, networks, and application on premises and in the cloud.

Vimeo

Back to Top

Austin Security Professionals Happy Hour, July 13, 2017

When: Thursday, July 13th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758

Sponsor: Technology Navigators

Back to Top

OWASP Austin Chapter Meeting, June 27, 2017

When: Tuesday, June 27th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Making Vulnerability Management Less Painful with OWASP DefectDojo

DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management with automation centered around templating, report generation, metrics, scanner consolidation, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to consolidate and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.

Speaker: Greg Anderson

Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. His recent work has focused on advanced security automation to get the most out of application security programs. Greg's previous work, which was featured at DEFCON, focused on unconventional attack vectors and how to maximize their impact while avoiding detection.

Greg is the creator of DefectDojo and was a Chapter Leader of OWASP San Antonio for two years.

Feel free to chat him up about anything and everything.

Vimeo

Back to Top

Austin Security Professionals Happy Hour, June 8, 2017

When: Thursday, June 8th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758

Sponsor: Cyberbit

Back to Top

OWASP Austin Chapter Meeting, May 30, 2017

When: Tuesday, May 30th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Annoying web app vulnerabilities: HTTP Request Smuggling, HTTP Response Splitting and Cross-Origin Resource Sharing Misconfigurations.

Part 1:

Abstract: HTTP Request Smuggling is an attack capable of bypassing security protections and "poisoning the well" for caching web proxies. In this talk we'll be discussing attack scenarios and their security implications.

Speaker: Gabriel has been actively involved in the security industry since 2007 and currently holds the position of security analyst at Rapid7.

Part 2:

Abstract: HTTP Response Splitting is a web application vulnerability that is often misunderstood, but can lead to a serious compromise. This talk will walk through the basics of Response Splitting, how an attack works, and what you can do to defend against it.

Speaker: Ben Columbus is a security analyst for Rapid7, who specializes in network and web application penetration testing. He has been working in security for the last eight years in various positions and was previously a penetration tester for the State of Texas.

Part 3:

Abstract: The talk will provide information about headers used for Cross-Origin Resource Sharing (CORS) and how servers use these headers to communicate access policy to browsers. The possible security implications of misconfigured CORS headers will be discussed.

Speaker: Jacob enjoys learning about security vulnerabilities and their usage in the real world.

Vimeo

Back to Top

Austin Security Professionals Happy Hour, May 3, 2017

When: Wednesday, May 3rd, 5:00 pm - 7:00 pm

Where: Mister Tramps Sports Pub and Cafe, 8565 Research Blvd, Austin TX 78758 (different location and date to coincide with BSides Austin)

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, April 25, 2017

When: Tuesday, April 25th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: The CISO Playbook

The era of CISO-as-dictator is at an end. Growing cybersecurity with the business can be tricky and requires security leaders to find ways to get to “yes” with the business. This session will cover solid tactics to lead successful change throughout your organization.

Speaker: John McLeod

John McLeod is the CISO at AlienVault, responsible for cyber security in the enterprise and their products. John is a former Air Force Special Agent with over 20 years of experience in information security including but not limited to criminal, counter-intelligence, fraud and computer crime investigations. Prior to joining Alienvault, he served as the Director of Information Security for National Oilwell Varco. His experience includes management roles for Halliburton, Mandiant, Guidance Software, and Mantech International. The US Intelligence community recognized him for his work in steganography. As a consultant, he responded to some of the highly publicized cyber-attacks, including: Moonlight Maze, Titian Rain, Night Dragon, TJX and Operation Aurora. He holds a B.S. in Information Systems Management from the University of Maryland University College, and M.S. in Network Security from Capitol College in Maryland. Additionally, he is a Certified Information Systems Security Professional (CISSP).

Vimeo | Presentation Slides

Back to Top

Austin Security Professionals Happy Hour, April 6, 2017

When: Thursday, April 6th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Amazon

Back to Top

OWASP Austin Chapter Meeting, March 28, 2017

When: Tuesday, March 28th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: DevSecOps Lessons from Detroit to Deming

In 1982, the city of Detroit saw 15,000 vehicles roll off its production lines every day. To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality. At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality vehicles, for less cost, at higher velocity. As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan.

The parallels between the auto industry of 35 years ago and software development practices in place today are remarkable. DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities.

This session aimed to enlighten Security, DevOps, and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation also revealed findings from the 2017 DevSecOps Community survey where over 2,200 professionals shared their experiences blending DevOps and security practices together. Throughout the discussion, Derek shared lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today.

Speaker: Derek E. Weeks

After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into AppSec practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevSecOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation.  Derek is also the co-founder of the All Day DevOps conference and the lead researcher behind the annual State of the Software Supply Chain report.

Vimeo

Back to Top

Austin Security Professionals Happy Hour, March 9, 2017

When: Thursday, March 9th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, February 28, 2017

When: Tuesday, February 28th @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Building and Breaking Password Reset Mechanisms

It happens to everyone, you forgot your password. Now you need to get back into your account and prove you are who you say, but without using your password as proof. How, then, can that be done securely? More interestingly, how can it be done insecurely? This talk will dissect a number of security vulnerabilities found in real-world password reset mechanisms, and discuss how password reset mechanisms should be built.

Speaker: Dan Crowley

Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.

Back to Top

Austin Security Professionals Happy Hour, February 9, 2017

When: Thursday, February 9th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Vectra Networks

Back to Top

OWASP Austin Chapter Meeting, January 31, 2017

When: Tuesday, January 31st @ 11:45 AM - 1:00 PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Random Number Generation - Lava Lamps, Clouds and the IoT

Random numbers are the basis of security for all cryptography, yet they are often taken for granted. Learn why random numbers are so hard to generate and validate, compare different technologies in use today across virtualized environments, and discuss operational steps to take the risk out of random numbers and help secure cryptosystems even into the era of quantum computers.

Speaker: Richard Moulds

Vimeo

Back to Top

Austin Security Professionals Happy Hour, January 12, 2017

When: Thursday, January 12th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsors: Bugcrowd and Rapid7

Back to Top


2016


OWASP Austin Chapter Meeting, September 27, 2016

When: Tuesday, September 27th @ 11:45 - 1PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Moving to the cloud

Moving to the cloud is unavoidable -- but it severely disrupts security ownership and your existing security processes.
David will discuss his experience moving Contrast to AWS, the steps being taken to ensure the stack stays secure, and the journey to become SOC2 Compliant.

Speaker: David Hafley

David Hafley has been building consumer and enterprise products for over ten years. He’s currently head of engineering operations for Contrast Security, where he lives for push buttons deploys, building systems that help the engineering team become more productive, and uptime. Prior to Contrast Security, David held positions at MyEdu (acquired by Blackboard) and AOL. He has a degree in Computer Science from DePauw University in [tropical] Greencastle, IN.

Back to Top

Austin Security Professionals Happy Hour, September 8, 2016

When: Thursday, September 8th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, August 30, 2016

When: Tuesday, August 30th @ 11:45 - 1PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Malicious PowerShell detection

Speaker: Peter Ewane

Peter is a security researcher at AlienVault and will be discussing malicious PowerShell detection.

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Gemalto, August 11, 2016

When: Thursday, August 11th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Gemalto

Back to Top

OWASP Austin Chapter Meeting, July 26, 2016

When: Tuesday, July 26th @ 11:45 - 1PM

Where: National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759

Title: If I Knew Then What I Know Now: Building an InfoSec Program from Scratch

Congratulations! You’ve been working hard for years and your employer has finally seen your potential. You’ve now been promoted to being the only person responsible for starting and managing an Information Security Program for a $1B+/yr company. With nobody there to help you and a minuscule budget, where do you start? How do you determine where the issues lie and prioritize how to fix them? At what point do you grow your team and how do you justify it? This vendor-agnostic talk will cover what you need to know in order to build an efficient, cost-effective, and relevant security program for your company.

Speaker: Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Technology Navigators, July 14, 2016

When: Thursday, July 14th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Technology Navigators

Back to Top

OWASP Austin Chapter Meeting, June 28, 2016

When: Tuesday, June 28th @ 11:45 - 1PM

Where: National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759

Title: Game of Hacks: Play, Hack & Track

Playing around with some ideas we found ourselves creating a hacker magnet. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to:
  • Play GoH against the audience in real time and get your claim for fame
  • Understand how vulnerabilities were planted within Game of Hacks
  • See real attack techniques (some caught us off guard) and how we handled them
  • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application
  • Hear what to watch out for on the ultra-popular node.js framework.

Speaker: Igor Matlin

Igor has over 19 years of technical experience in high-tech companies as a software engineer and technical lead. Prior to joining Checkmarx as our Senior Solutions Architect, Igor worked as a Technical Manager at Myriad, a leading mobile software company, and as a Software Engineer and Product Manager at Novarra, acquired by Nokia in 2010. Igor is an appreciated speaker at forums such as ISC2, BSides, and OWASP.

Igor studied at Belarusian State University of Informatics and Radioelectronics and received his B.Sc in Computer Science and Math from Christian Brothers University.

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Ixia, June 9, 2016

When: Thursday, June 9th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Ixia

Back to Top

OWASP Austin Chapter Meeting, May 31, 2016

When: Tuesday, May 31st @ 11:45 - 1PM

Where: National Instruments, 11500 North Mopac Expressway, Building C, Austin, TX 78759

Title: The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration

There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.

This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.

Speaker: Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Rapid7, May 12, 2016

When: Thursday, May 12th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, April 26, 2016

When: Tuesday, April 26th @ 11:45 - 1PM

Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

Title: Data-Driven App Sec

New research into application security practices at over 100 companies will be presented, covering software security strategies and tactics as they are practiced in the wild, based on the new BSIMM6 dataset. Statistics will be balanced with war stories from the field to illustrate foundational principles of starting and sustaining programs, as well as “what not to do” gotchas that can kill an initiative in its tracks.

Speaker: Joel Scambray

Joel Scambray is a Principal at Cigital, a leading software security consulting firm established in 1992. He has helped Fortune 500-class organizations address information security challenges for over twenty years as a consultant, author and speaker, corporate leader, and entrepreneur. He is widely recognized as co-author of the Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Foundstone, Amazon, Costco, Softcard, and Ernst & Young. In recognition of his work with Hacking Exposed, Joel received the ISSA President’s Award for Public Service in 2015.

Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by Veracode, April 14, 2016

When: Thursday, April 14th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Veracode

Back to Top

Austin Security Professionals Happy Hour sponsored by Core Security, March 30, 2016

When: Wednesday, March 30th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Core Security

Back to Top

OWASP Austin Chapter Meeting, March 29, 2016

When: Tuesday, March 29th @ 11:45 - 1PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Lean Security

Moving fast is a business imperative that you can’t afford to be in opposition to. Lean, DevOps and Continuous Delivery philosophies hinge on the ability to move fast through collaboration, automation, and aligning with the flow of the organization. Security needs to be able to make the same transformation.

As a concrete example of applying these approaches to security, we will show how a platform automation approach to security increases transparency and visibility throughout the organization and pairs with the high-throughput philosophies of DevOps and Continuous Delivery, while working with the way the business functions and not against it.

From this session, you will:

  • Understand the Lean, Agile, and DevOps techniques emerging in organizations today
  • Be armed with organizational strategies for bridging devops and security
  • Apply Lean thinking to security operations.

Speaker: Ernest Mueller

Ernest Mueller is a 20-year IT veteran who has led a variety of teams designing, building and operating SaaS and Web products for companies large and small. Frequently, that has involved innovating Agile, DevOps, and cloud transformations to meet the needs of the modern marketplace. He writes about these topics at theagileadmin.com. Ernest is also active in advocating for the Austin technologist community, and organizes events like DevOpsDays Austin and user groups like CloudAustin. As Lean Systems Manager for AlienVault, he focuses on empowering the technical teams and creating a high velocity path to deliver value to customers. Ernest resides in Austin, TX with his daughter Aoife.

Vimeo

Back to Top

OWASP Austin Chapter Meeting, February 23, 2016

When: Tuesday, February 23rd @ 11:45 - 1PM

Where: National Instruments, 11500 N. Mopac.Building C

Title: Rugged DevOps Using Gauntlt

Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.

This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.

Three Takeaways: 

  1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
  2. Armed with tools and ideas for monitoring your operational and runtime security.
  3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

Bring a laptop (mac or linux) that you can install software on and a github account.

Speaker: James Wickett (see bio at about.me/wickett)

Back to Top

Austin Security Professionals Happy Hour sponsored by Rapid7, February 18, 2016

When: Thursday, February 18th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Rapid7

Back to Top

OWASP Austin Chapter Meeting, January 26th

When: Tuesday, January 26th @ 11:45 - 1PM

Title: CryptoParty

In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear.

To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.

On Tuesday, January 26 at 11:45 AM, the Austin Chapter of the OWASP Foundation invites you to join us for our second annual CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes. The event will be held in Building C, Room 1S13, on the National Instruments campus (11500 N Mopac Expwy, Austin, TX 78759). Please RSVP at the link below and feel free to extend this invitation to others you feel may have a need for data privacy.

Speaker: Several -- Lead by Josh Sokol

Back to Top

Austin Security Professionals Happy Hour sponsored by Bugcrowd, January 14th

When: Thursday, January 14th, 5:00 pm - 7:00 pm

Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).

Sponsor: Bugcrowd

An innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 19,000 security researchers to surface critical software vulnerabilities. Bugcrowd provides a range of vulnerability disclosure and bug bounty programs that allow organizations to commission a customized security testing program that fits their needs.

Back to Top


2015


OWASP Austin Chapter Meeting, September 29th

When: Tuesday, September 29th @ 11:45 - 1PM

Title: Log Everything, even if it is just on local disks

Logs are as important as SQLi, XSS or Secure Coding! OWASP has a “Logging Cheat Sheet”, and there are the “Windows Logging Cheat Sheet”, “Windows PowerShell Logging Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” and several other I created, but we still lack an understanding of logging when it comes to Application Security and DevOps.

Enabling and configuration of logs must become as basic and a standard practice as doing WebApp security scans, secure code reviews or secure webapp design, which should include application log design and implementation. You don’t need an expensive log management solution to do good application security or DevOps log configuration. What we need is to include all our Cheat Sheets into DevOps builds so enabling and configuration is baked in and to include a log design review as a part of our application secure reviews. So WHEN we need log data, it is there for us.

Speaker: Michael Gough

Michael is the founder of "Malware Archaeology" and has 20 years experience in IT and Information Security and currently in the Healthcare sector. In the past Michael has been a consultant for HP and other consultancies, an analyst for the Financial sector, Health Care and State of Texas. Michael now focuses his talents as a Blue Team Defender, malwarian fighter and malware archeologist, protecting his employer from nefarious ne`er-do-wellers.

Michael also led BSides Texas with Michelle Klinger for 6 years and led the BSides Austin conference held in March. Michael discovered the WinNTI malware 10 months before Kasperski released their report. He also discovered and exploited a major Card Key system flaw back in 2010 which can be found on YouTube.

Michael is a creator of the Malware Management Framework, a process to help discover malware on Windows based systems. Michael also developed the “Windows Logging Cheat Sheet” to provide a starting point on detailed logging for Windows hosts.

Michael's resources may be found on his website: MalwareArchaeology

[Vimeo]

Back to Top

Austin Security Professionals Happy Hour sponsored by Veracode, September 10th

When: Thursday, September 10th, 5-7PM

Where: Sherlocks Street Pub and Grill, 9012 Research Blvd

Sponsor: Veracode

Veracode’s cloud-based service and programmatic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 25+ of the world’s top 100 brands.

Back to Top

OWASP Austin Chapter Meeting, August 25th

Title: Eat Your Own Dogfood

As security professionals, we have made it our jobs to tell other people how to be secure. We preach security in everything from applications to systems to networks and more. We get more and more frustrated with each and every issue that we find and sometimes even angry when others aren't fixing things fast enough. But, with all of the berating that we do of others for their security downfalls, how many of us actually put in the time and effort to do things right ourselves? And what happens when those people who we are trying to teach see us not practicing what we preach? Security begins and ends with you. It's time to start eating your own dogfood.

Speaker: Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.

[Vimeo]

Back to Top

Austin Security Professionals Happy Hour sponsored by Dell SecureWorks, August 13th

Where: Sherlocks Street Pub and Grill, 9012 Research Blvd

Sponsor: Dell SecureWorks

Dell SecureWorks focuses exclusively on information security services to protect thousands of customers around the world.

As a security service provider, we strive to be a world leader in everything related to information security; from firewall management services, combating advanced persistent threats to ensuring your PCI readiness for compliance. Our Global Headquarters located in Atlanta, GA is where a large amount of monitoring and research is performed while working in tandem with our other US, Europe and Japan offices. Many industries and IT security companies need assistance in maintaining or even building a new infrastructure for their information security and we have the expert security analysts to assist you along the way through consulting, audits, assessments, and tests.

Back to Top

OWASP Austin Chapter Meeting, July 28th

Title: The EMV Card Standard - What is it and How Does it Work?

Europay MasterCard Visa (EMV) is a global standard by introducing a microprocessor chip into all debit and credit cards. This chip which will eventually replace the current magnetic strip on the back of credit cards as a means of mitigating credit card fraud. All U.S. merchants will be required to support EMV by October, 2015.

This new standard has been in use in Europe and Asia for many years and has proven to be an improvement over the mag stripe. However, there are new risks associated with the chip and the debate of the proper implementation of this new standard (e.g. the advantage over “chip-and-pin” vs. “chip-and-signature”) will continue for some time.

What is this new technology and how will it be used in transactions? The physical and logical security characteristics of this new standard will be presented, new risks will be addressed and security recommendations will be given.

Speaker: Larry Moore

Larry Moore has over sixteen years of Information Security experience as part of his thirty year IT career. Larry has worded on diverse areas of Information Security including architecture, secure software development, penetration testing, server administration, project manager and executive manager. Larry has served at the State of Texas in their critical infrastructure protection and in the technical and financial sector.

Larry graduated from the Florida Institute of Technology with a degree in Computer Science and began his work on various projects for NASA. His post-NASA work included applications, device drivers and kernel extensions on various operation systems such as OS/2, Windows and Unix variants. His work on the AIX security kernel included audit, single sign-on, PKI and a behavioral-based intrusion detection tool which was a precursor to his migration to the information security field. Larry recently served as the Chief Solution Security Officer for Gemalto’s North American region where he ensured the proper delivery of security requirements for the company’s trusted platforms and mobile payment solutions for large and small customers. Larry has also audited, designed or modified the security programs for three of the company’s large data centers across the globe to enable customer mobile payment processing.

Larry serves on the board at the Computer Science department at Parker University in Dallas and the Austin chapter of the International Systems and Security Association. Larry is also Vice-President and IT Sector Chief for the Austin chapter of Infragard and has given numerous presentations and written numerous articles on security architecture, threat intelligence and software development.

Back to Top

Austin Security Professionals Happy Hour sponsored by Technology Navigators, July 9th

Where: Sherlocks Street Pub and Grill, 9012 Research Blvd

We’re Technology Navigators.

Technology Navigators is a technical staffing firm, specialized in recruiting skilled individuals for project-oriented consulting and contract positions. We’ve been firmly rooted in the Austin technology community since 1999, and have been providing companies that develop, build, and use technology with the people they need to grow their business for over 15 years.

We’re Organically Grown and Operated.

Our mission is to build an extraordinary future for both people and business. We use a mix of innovative processes and old-fashioned ideas about people to build lasting relationships with our clients and candidates. We bring a dynamic, hands-on approach to every opportunity.

We Make Staffing Easy.

We most frequently recruit for positions in software, infrastructure, data management, ERP, CRM, support, and information security. Examples of the job titles included in these areas are:

  • Software Developers
  • Software Architects
  • Web Developers
  • Mobile Developers
  • Software Project Managers
  • Software Business Systems Analysts
  • Software Quality Assurance Testers
  • Network Engineers
  • Network Systems Administrators
  • Data Warehouse Architects
  • Desktop Engineers
  • Database Developers
  • Database Administrators
  • ETL Developers
  • Business Intelligence and Reporting
  • ERP Developers
  • ERP Administrators
  • CRM Developers
  • CRM Administrators
  • RF Test Engineers
  • Systems Engineers
  • Hardware Test Engineers
  • Information Security Professionals

- See more at: http://technologynavigators.com

Back to Top

OWASP Austin Chapter Meeting, June 30th

When: Tuesday, June 30th @ 11:45 - 1PM

Title: Authz is the new Authn: Trust Elevation with UMA and OpenID Connect

Increased trust in an online identity = increased mitigation of the risk of fraud. As an enterprise interacts with a person via the Internet, it may be prudent, for certain transactions, to have more evidence of that person’s identity. Web Access Management systems include some proprietary features to force “stepped-up authentication.” But luckily, new OAuth2 profiles like UMA and OpenID Connect offer a standards based approach to achieve inter-domain trust elevation. This session will include a high level overview of the Enterprise UMA use case and some of the useful OpenID Connect features that can be leveraged to create centralized authentication policies.

Speaker: Mike Schwartz

Mike has been an entrepreneur and identity specialist for over 18 years. He is the technical and business visionary behind Gluu, whose open source OX projects enable domains to centralize authentication and authorization using open standards like SAML and OAuth2. Mike is a domain expert in application security, directory services, and strong authentication. He has been a guest speaker at RSA Europe, Gartner Catalyst, EIC and other identity conferences.

[Prezi ]

Back to Top

Austin Security Professionals Happy Hour sponsored by Vectra Networks, June 11th

Where: Sherlocks Street Pub and Grill, 9012 Research Blvd

Vectra Networks™ is the leader in real-time detection of in-progress cyber attacks. The company’s advanced threat-detection solution continuously monitors internal network traffic to pinpoint cyber attacks as they happen. It then automatically correlates threats against hosts that are under attack and provides unique context about what attackers are doing so organizations can quickly prevent or mitigate loss. Vectra prioritizes attacks that pose the greatest business risk, enabling organizations to make rapid decisions on where to focus time and resources. In 2015, Gartner named Vectra a Cool Vendor in Security Intelligence for addressing the challenges of post-breach threat detection. Visit us at www.vectranetworks.com.

Back to Top

OWASP Austin Chapter Meeting, May 26th

When: Tuesday, May 26th @ 11:45 - 1PM

Title: Case Study: Key Takeaways from Indeed’s Crowdsourced Security Testing Program

State of the art security programs are turning to bug bounties to leverage a vast array of skill-sets and knowledge. Learn why these programs work, potential pitfalls, when to deploy them and when not to deploy them.The speaker will discuss real world examples from Indeeds Bug Bounty program and focus on cases where business logic flaws and high priority vulnerabilities were found ... even with existing security testing processes in place.

Attendees will learn:

  • Testing methods deployed by our crowd
  • Examples of the bugs found
  • Workflow and the crowd- Tips and Tricks
  • Trends on which vulnerability types are found most often and why
  • What is the ROI on the pay for performance model
  • Where does the SDLC merge into crowdsourced testing

Speaker: Charles Valentine, VP of Technology Services at Indeed.com

Charles leads global infrastructure operations and engineering, security, and IT strategy for the #1 job site worldwide. The Indeed.com infrastructure serves over 180 million monthly job seekers, from multiple data centers located around the globe, maintaining better than 99.999% availability and sub-second response times. Indeed is available in more than 50 countries and 28 languages, covering 94% of global GDP.

Back to Top

Austin Security Professionals Happy Hour sponsored by iSEC Partners, May 14th

Where: Sherlocks Street Pub and Grill, 9012 Research Blvd

iSEC Partners is an expert full-service information security firm.

Our security assessments leverage our extensive knowledge of current security vulnerabilities, penetration techniques and software development best practices to enable customers to secure their applications against ever-present threats on the Internet. Primary emphasis is placed upon helping software developers build safe, reliable code.

iSEC Partners also provide extensive research in many information security areas such as; application attack & defense, web services, operating system security, privacy, storage network security and malicious application analysis.

iSEC Partners has been part of information assurance company, NCC Group plc, since October 2010.

Back to Top

OWASP Austin March Chapter Meeting - April 28th

Title: Using OpenSAMM for Benchmarking and Software Security Improvement

We all know that behind every breach story in the press is an organization that probably should have done more to build secure software. Yet, organizations struggle mightily to focus resources on building software securely from the outset and, as a result, software security remains an after the fact “nice to do” and not a “have to do” activity in many organizations. How can organizations determine the right sets of activities or appropriate resource allocation levels that it should undertake to adequately address software risk? Organizations can make these determinations by benchmarking via OWASP’s Open Software Assurance Maturity Model (OpenSAMM) framework.

A coalition of leading application security industry vendors recently contributed benchmarking data in order to enhance OpenSAMM and its assessment framework. These efforts will enable organizations to step up their software security game and identify hurdles by using OpenSAMM as a powerful benchmarking tool. John will provide details on an ongoing industry effort to improve OpenSAMM by providing more comparative data to encourage broader use throughout industry.

Speaker: John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.

A former U.S. Air Force officer, Dickson served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team (AFCERT). Since his transition to the commercial arena, he has played significant client-facing roles with companies such as Trident Data Systems, KPMG and SecureLogix Corporation.

Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at other international security conferences. He is a sought-after security expert and regularly contributes to Dark Reading and other security publications. He also regularly contributes to the Denim Group blog where he writes about key security industry issues such as software security and cyber security policy. A Distinguished Fellow of the International Systems Security Association, he has been a Certified Information Systems Security Professional (CISSP) since 1998.

Dickson is currently the Chairman of the San Antonio Chamber of Commerce Cyber Security Committee where economic development, workforce and advocacy issues involving San Antonio’s growing cyber security industry are coordinated. Dickson is also a member of the prestigious Texas Business Leadership Council, the only statewide CEO-based public policy organization that serves as a united voice for the state’s senior executives to participate in the legislative and regulatory process. Most recently, he was the past Chairman of the Texas Lyceum, a leadership group that prepares leaders for the State of Texas and served as Chairman of the North San Antonio Chamber of Commerce. He also served as the local President of the Information Systems Security Association and was an honorary commander of the 67th Cyber Space Wing which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation.

He holds a Bachelor of Science degree from Texas A&M University, a Master of Science degree from Trinity University and a Masters in Business Administration from the University of Texas in Austin. Dickson resides in San Antonio, Texas where he is married with two children.

Webcast: Vimeo

Back to Top

Austin Security Professionals Happy Hour sponsored by iSEC Partners, April 9th

Sponsor: iSEC Partners

Back to Top

OWASP Austin Chapter Meeting - March 31st

Title: Top 10 Web Hacking Techniques of 2014

Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges.

Speaker: Matt Johansen

Matt Johansen is a Senior Manager for the Threat Research Center at WhiteHat Security. He manages a team of Application Security Specialists, Engineers and Supervisors, to prevent website security attacks and protect companies' and their customers' data. He was previously a security consultant, where he was responsible for performing network and web application penetration tests. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.

Back to Top

Austin Security Professionals Happy Hour sponsored by Alert Logic, March 11th

Sponsor: Alert Logic

Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides security and compliance for cloud, hybrid, and on-premises data center infrastructure. Fully managed by a team of experts, Alert Logic’s Cloud Defender suite delivers the deep security insight and continuous protection needed to protect a company’s most sensitive data. Alert Logic provides network, system, and application protection for over 3,000 organizations worldwide. Built for cloud scale, the Alert Logic ActiveAnalytics platform manages over 5 petabytes of data, analyzes over 450 million events and identifies over 60,000 security incidents monthly that are managed by our security operations center.

Back to Top

OWASP Austin February Chapter Meeting - February 24th

Title: Static Analysis: Beyond the Basics

Static vulnerability analysis is the practice of testing non-running software for application vulnerabilities. It is often referred to as SAST, white box testing, or automated code review. In this session we will cover some of the hows and whys of static analysis and deep dive some of the common issues users of SAST technologies often encounter. Topics will include data flow analysis and taint propagation, scan noise, and partial code scanning, specifically around OWASP Top 10 issues. The material should provide value to anyone with an interest in application security, not just static analysis practitioners.

Speaker: Andy Earle

Andy Earle is a Security Solutions Architect for HP Enterprise Security Products (ESP). Andy has spent 5 years designing and delivering application security programs, technology, and services for US Federal and commercial customers, specifically around HP's Fortify appsec products. Andy was previously the product manager for a high assurance multi-level secure operating system at BAE Systems, and Presales Engineer for various web development and mobile security firms. Andy has spoken extensively on application security topics, most recently at OWASP's SnowFROC 2013, the RMISC conference, SANS AppSec 2013, and HP Protect. Early experience includes software engineering, mobile application development, and lifeguarding at his neighborhood pool. Andy is a CISSP and CSSLP, and has a B.S. in Systems Engineering from the University of Virginia.

Back to Top

Austin Security Professionals Happy Hour sponsored by Qualys, February 19th

Sponsor: Qualys

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud security and compliance solutions with over 6,700 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The Qualys Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.

Qualys WAS (Web Application Scanning) Winner of Information Security™ magazine and SearchSecurity.com Readers' Choice Award in the “Best of Application Security 2014” category. Qualys WAS is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure thousands of web sites.

Qualys WAF (Web Application Firewall) Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.

Back to Top

OWASP Austin January Chapter Meeting - January 27th

Title: CryptoParty!!!!!!

Abstract: In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.

In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.

At our January 27, 2015 OWASP Austin meeting, we will host our first ever CryptoParty with the goal of inviting others to join us in learning about the tools and technologies that enable an individual's right to privacy. We encourage you all to invite your family, friends, and peers to attend this event. Presentations will be laid out so that novice and experienced alike can take action based on the data presented. All tools presented will be free and open source. Our CryptoParty will end with the first-ever OWASP Austin Key Signing Party. Don't miss this meeting and be sure to invite your friends!

Speaker(s): Several amazing security professionals who like Crypto and want to Party with OWASP

Back to Top

Austin Security Professionals Happy Hour sponsored by FishNet Security, January 8th

Sponsor: FishNet Security

Back to Top


2014


LASCON 2014 - October 23rd and 24th

The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It started in 2010 when James Wickett (@wickett) and Josh Sokol (@joshsokol) along with the OWASP Austin crew put together an amazing 1-day conference with a speaker lineup of some of the who’s-who of the infosec and appsec world. In 2011, the conference grew to over 250 attendees and in 2012 the OWASP Austin crew hosted AppSec USA LASCON Edition–which has been heralded as the best security conferences ever by long-time infosec luminary Gene Kim.

LASCON 2014, run by David Hughes(@Dav1dHugh3s) and the OWASP Austin crew, will be run in the same tradition as previous LASCON conferences featuring the best speakers, a close-knit community atmosphere and even our signature happy hour replete with a mechanical bull. Year over year, LASCON has been a gathering of thought leaders, web developers, security engineers, mobile developers and information security professionals. LASCON 2014 will have 2 days of pre-conference training and 2 full days of conference across 4 rooms.

Back to Top

OWASP Austin September Chapter Meeting - September 30th

When: September 30th, 11:30AM to 1PM

Title: Account Entrapment

Abstract: This talk covers two ways to force a victim into an attacker's account (Account Entrapment): Login Cross-Site Request Forgery and Cookie-based or Session Entrapment. This is a commonly overlooked vulnerability despite high-profile exploits including Youtube.com. Because it is often disregarded, this talk begins with an in-depth look at attack scenarios and what an attacker can actually gain. It then describes how the two attacks work and how to defend against them. Finally, though these attacks are prevalent across the internet, it will show why state agencies (with domains ending in .state.**.us) and large organizations with many subdomains face special problems when building defenses against these attacks.

Speaker: Ben Broussard

About: Ben Broussard has been involved in the Austin Appsec scene since 2008, helping to plan the first LASCON and running the OWASP study group for a time. After doing subcontracting work for a number of security shops and gaining a breadth of experience on both the threatscape and the security organizations that attempt to address it, he took a position with San Antonio based Denim Group (now with an Austin office). When not researching appsec, Ben is a hobbyist in Human Physiology, Acrobatics, Human Evolution, Brazilian Jiu Jitsu, and toddler wrangling. He also runs Hot Lava Obstacle Course located on Burnet road

(No Video) Link to slides at slideshare

Back to Top

Austin Security Professionals Happy Hour sponsored by Set Solutions Inc., September 11th

When: Thursday, September 11th, 5-7PM

Sponsor: Set Solutions Inc.

For over 20 years, Set Solutions, Inc.—a full service provider of network security, secure remote access and bandwidth management solutions—has been in the business of increasing business profitability and growth.

If you have network security challenges or just want to improve the health of your network, Set Solutions can help.

Back to Top

OWASP Austin August Chapter Meeting - August 26th

When: August 26th, 11:30AM to 1PM

Title: Identifying Web Attacks via Data Analysis

Abstract: This presentation will look at detection of SQL injection using Machine Learning as well as profiling web traffic to find misbehaving hosts. The goal is to get beyond "Top N" types of analysis and begin using multiple features to guide us towards interesting traffic. With these techniques multiple log types can be used, everything from web server logs to proxy logs.

Speaker: Mike Sconzo

Mike enjoys attempting to solve/solving interesting security problems with data analysis. He's spent most of his career on the defensive side, and is constantly looking for new ways to detect suspicious and malicious behavior. His background is heavy in network analysis and most of the explored techniques revolve around use cases involved with network forensics.

Video Archive: https://vimeo.com/channels/owaspaustin/104466721

Back to Top

Austin Security Professionals Happy Hour sponsored by Trustwave, August 14th

When: Thursday, August 14th, 5-7PM

Sponsor: Trustwave

The Trustwave suite of application security solutions, delivered by an expert team of application specialists, ensures that your application is tested and reviewed thoroughly. The application security team uses manual processes to test and review applications according to your needs. The result is specific guidance that can significantly improve the security of your applications and protect your business.

Back to Top

OWASP Austin July Chapter Meeting - July 29th

When: July 29th, 11:30AM to 1PM

Title: Railsgoat

While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as solutions for remediation. This talk will discuss Railsgoat, common issues, defensive measures, and engage the audience for feedback/improvements.

Speakers: Ken Johnson

Ken Johnson is the CTO of nVisium and leads the company's product development efforts. Ken is obsessed with code security and code in general but holds a special place in his heart for Ruby. Ken is passionate about the open source community, and genuinely loves to create. http://railsgoat.cktricky.com

Video Archive: https://vimeo.com/channels/owaspaustin/102133267

Back to Top

Austin Security Professionals Happy Hour sponsored by iSEC Partners, July 10th

When: Thursday, July 10th, 5-7PM

Sponsor: iSEC Partners

iSEC Partners is an information security firm specializing in the assessment of application and network security. Founded in 2004, with offices in San Francisco, New York, Seattle, and Austin, iSEC Partners provides tailored security services to many Fortune 500 clients. iSEC consultants are published authors in the information security field and regular speakers at events including the RSA Conference, Black Hat, FS-ISAC, CanSecWest, SOURCE, InfoSecurity Europe, and the FIRST annual conference. Details of presentations delivered by iSEC Partners in recent years are available from our website at https://www.isecpartners.com/research/white-papers.aspx.

Back to Top

OWASP Austin March Chapter Meeting - June 24th

When: June 24th, 11:30AM to 1PM

Title: Integrating process and architecture to yield robust systems

Abstract: When producing software products that meet the objectives of both the business unit and the security shop, the developers best friend is process and a secure architecture. Robust systems require a holistic view of security where attribution, reliability and confidentiality do not put a strain on the dev shop, but provide an environment that optimizes the use of infrastructure and standards to yield secure and robust systems. How do we do that and meet the budget and time constraints that we all face?

Speaker: Vern Williams

Vern Williams has over 30 years in Information Security starting with his responsibilities in the US Navy Submarine Force where he obtained a Masters Degree in Information Systems. Since retiring from the Navy, he has worked for several companies and has obtained certifications as a Certified Information Systems Security Professional (CISSP), a Certified Business Continuity Professional (CBCP), a Certified Secure Software Lifecycle Engineering Professional (ISSEP). He has been one of few instructors for the CSSLP preparation seminar by ISC2. Additionally, over the last few years, Mr. Williams has distinguished himself as an ISSA Distinguished Fellow and Senior Member of the IEEE, Fellow and served as Director of ISSA International, President of the Capitol of Texas ISSA Chapter, Chair of the Austin ASIS Chapter, President of the local USAFA Parents Association and the Disaster Relief Coordinator for the Austin Disaster Relief Network. He has been instrumental in establishing the Certified Information Systems Security Professional (CISSP) course at Austin Community College and is a key contributor to the Texas Regional Infrastructure Security Conference (TRISC).

Video Archive: Unfortunately, due to technical difficulties, a recording was not made.

Back to Top

Austin Security Professionals Happy Hour sponsored by Lumenate, June 12th

When: Thursday, June 12th, 5-7PM

Sponsor: Lumenate

Lumenate is a technical consulting firm that helps clients solve their most challenging business problems. We combine the brightest, experienced talent with proven and longstanding manufacturing partnerships to provide expert solutions across the following practice disciplines:

· Storage | Virtualization · Security | Compliance · Networking | Collaboration · Managed Services

Back to Top

OWASP Austin March Chapter Meeting - May 27th

When: May 27th, 11:30AM to 1PM

Title: How to Use Crowd-Sourced Threat Intelligence

Abstract: This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.

Speaker: Jaime Blasco

Jaime Blasco is a Security Researcher with broad experience in network security and malware analysis. At AlienVault, Jaime manages the Lab and runs the Vulnerability Research Team in charge of researching and integrating threat intelligence into detection mechanisms.

Video Archive: http://vimeo.com/channels/owaspaustin/96621807

Back to Top

Austin Security Professionals Happy Hour sponsored by The Broadleaf Group, May 8th

When: Thursday, May 8th, 5-7PM

Sponsor: The Broadleaf Group

Founded in 2005, The Broadleaf Group is a leading provider of IT solutions with specific emphasis on providing Systems, Security, Unified Communications, Managed IT, Banking and CIO level consulting for SMB to enterprise level customers throughout the US. The company’s extensive experience with IT performance, optimization processes and business enablement ensures customers are provided with the most comprehensive and competitive solutions for their environments. For more information, please visit www.broadleafgroup.com.

Back to Top

OWASP Austin March Chapter Meeting - April 29th

Title: Covert Hacking and Application Testing with Raspberry Pi

Abstract: The $35 Raspberry Pi is a wonder device on the cheap! But the security impact of this cheap and powerful equipment with its tiny footprint is equally interesting. In this session you will learn how the Pi can be used as a covert, field-friendly hacking platform for less than $100 total. The talk will address both attack and defense scenarios against the device. We will also discuss some of the applications for Pi around application security and penetration testing.

Speaker: Branden Williams is well known in the industry as a practitioner, consultant, and thought leader. He spent a number of years helping companies solve major security and compliance problems, including building PCI DSS compliance programs for some of the largest retailers around the globe. He recently sat on the PCI Board of Advisors and published the third edition of his book, PCI Compliance (Syngress, 2012) in August. Branden routinely speaks with organizations big and small with various levels of regulation to help them reduce their overall risk footprint and build safer and more efficient IT functions.

Video Archive: https://vimeo.com/93323292

Back to Top

Austin Security Professionals Happy Hour sponsored by Digital Defense, April 10th

When: Thursday, April 10th, 5-7PM

Sponsor: Digital Defense

Founded in 1999, Digital Defense, Inc. (DDI) is a premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 countries. DDI’s dedicated team of experts helps organizations establish a culture of security through regular information security assessments, awareness education and decisive security intelligence. This proven method bolsters the capability to reduce risk and keep assets and reputations secure. The combination of DDI’s certified security analysts, patent-pending technology and proprietary cloud-based vulnerability management system, Frontline™ Solutions Platform, delivers one of the most powerful assessment results and remediation management solutions available.

Back to Top

OWASP Austin March Chapter Meeting - March 25th

Title: Hacking Exposed: Mobile Edition

Abstract: Mobile is living up to the hype as the next great technology shift, rivaling the Internet in its game-changing impact. Of course, with great change comes potential risk - is there a magic bullet to secure the adoption of mobile everywhere? Cigital presents the latest mobile app security trends based on our recent book, Hacking Exposed: Mobile.

Speaker: Joel Scambray, CISSP, is a Managing Principal at Cigital, a leading software security consulting firm established in 1992. He has assisted companies ranging from newly minted startups to members of the Fortune 500 address information security challenges and opportunities for nearly twenty years, in diverse roles including consultant, author and speaker, corporate leader, and entrepreneur. He is widely recognized as co-author of the best-selling Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Amazon, Costco, Foundstone/McAfee, and Ernst & Young

Video Archive: https://vimeo.com/90822991

Back to Top

Austin Security Professionals Happy Hour sponsored by Sourcefire/Cisco - March 19th

When: Wednesday, March 19th 5pm-8pm

Where: Wingate by Wyndham 1209 N. Interstate Highway 35 Round Rock, TX 78664

Sponsor: Sourcefire/Cisco

Back to Top

OWASP Austin February Chapter Meeting - February 25th

Title: Magical Code Injection Rainbow

Abstract: There are many intentionally vulnerable web applications available for people to learn how to exploit various types of flaws. Unfortunately, many of them have only the most basic and easily exploited examples of flaws. In order to work with a more complex version of a flaw, it's usually necessary to write your own vulnerable application or modify an existing one. There is another option! The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerable applications. This presentation will demonstrate the use of the existing MCIR applications such as SQLol (for SQL injection) and XMLmao (for XML and XPath injection), teach advanced exploitation techniques in SQL injection; XPath injection; cross-site scripting; and shell command injection, discuss the exploitation of insecure cryptosystems and discuss how to use the MCIR framework to build your own configurable vulnerable application.

Speaker: Daniel Crowley(aka "unicornFurnace") is a Senior Security Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie. Daniel also holds the title of Baron in the micronation of Sealand.

Video Archive: https://vimeo.com/90822990

Back to Top

Austin Security Professionals Happy Hour sponsored by SafeNet - February 20th

When: Thursday, February 20th, 5pm-7pm

Where: Sherlocks Baker Street Pub and Grill, 183 & Burnet

Sponsor: SafeNet

Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet’s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.

Back to Top

OWASP Austin January Chapter Meeting - January 28th

Chapter meeting canceled due to icy conditions.

Back to Top

Austin Security Professionals Happy Hour sponsored by F5 - January 9th

When: Thursday, January 9th, 5pm-7pm

Where: Sherlocks Baker Street Pub and Grill, 183 & Burnet

Sponsor: F5

Back to Top


2013


OWASP Austin Chapter - December 2013

No Meeting, Happy Holidays!


Austin Security Professionals Happy Hour - December 2013

No Happy Hour, Happy Holidays!


OWASP Austin Chapter - November 2013

No Meeting


Austin Security Professionals Happy Hour - November 2013

No Happy Hour, Recovery from LASCON


LASCON 2013, October 24th & 25th

Did you miss it? http://www.lascon.org


OWASP Austin September Chapter Meeting- September 24th

Title: Bridging the gap between development cloud networks and our corporate identity management strategy. Oh and adding visibility/credibility to our IT shop.

Speakers: Jay Paz (Staff Security Engineer) and Justine Reneau (Senior Systems Administrator) from Bazaarvoice

Location: National Instruments, 11500 N. Mopac.Building C

When: Tuesday, September 24th from 11:30am to 1:00pm

RSVP:http://owaspaustinsept.eventbrite.com/?s=17712853


Austin Security Professionals Happy Hour, Sponsored by Sourcefire

When: Thursday, September 12th, 5pm-7pm

Where: Sherlocks Baker Street Pub and Grill, 183 & Burnet

Sponsor: Sourcefire

RSVP:http://sec-happyhr.eventbrite.com/?s=16936345


August OWASP Austin Chapter Meeting

When: Tuesday, August 27th, from 11:30am-1:00pm

Where: National Instruments, 11500 N. Mopac.Building C

Title: Static Code Analysis: Is it safe to go back in the water?

Speakers: Art Dahnert and Joel Scambray

RSVP: http://owaspaustinaug.eventbrite.com/?s=16906987


Austin Security Professionals Happy Hour

When: Thursday, August 15th, from 5:00pm - 7:00pm

Where: Sherlock's Baker Street Pub and Grill, 183 and Burnet.

Our Sponsor: Critical Start, Mobile Iron, and OpenDNS!

RSVP: http://augustsec.eventbrite.com/?s=16703579


August OWASP Austin Chapter Meeting

When: Tuesday, July 30th, from 11:30am-1:30pm

Where: National Instruments, 11500 N. Mopac.Building C

Title: Testing at Cloud Speed: Security Gone Agile

Speaker:Matt Tesauro


Austin Security Professionals Happy Hour

When: Thursday, July 11th, from 5:00pm - 7:00pm

Where: Sherlock's Baker Street Pub and Grill, 183 and Burnet.

What: The Austin Security Professionals Happy Hour is a monthly event coordinated between the Austin ISSA and OWASP Chapters to provide security professionals an opportunity to network and have a good time!

Our Sponsor: Security Innovation

RSVP: http://julysecurity.eventbrite.com/?s=15640627

Austin Security Professionals Happy Hour

When: Thursday, June 13th, from 5-7 pm

What: Austin Security Professionals Happy Hour Sponsored by 21CT

Where: Sherlocks Baker Street Pub and Grill.

RSVP: http://junesecurity.eventbrite.com/?s=14912917


August OWASP Austin Chapter Meeting

When:Thursday, May 28th, from 11:30a - 1:00pm

What:OWASP Austin Chapter Meeting

Who:Dustin Kirkland, Gazzang.com

RSVP:https://www3.gotomeeting.com/register/813351094


Austin Security Professionals Happy Hour

When: Thursday, May 9th, from 5-7 pm

What: Austin Security Professionals Happy Hour Sponsored by Trustwave Spiderlabs

Where: Sherlocks Baker Street Pub and Grill.

RSVP: http://aprilsecurity.eventbrite.com/?s=13502311


August OWASP Austin Chapter Meeting

When:Tuesday, April 30th, from 11:30am - 1:00pm

What:OWASP Austin Chapter Meeting

Who:Neil Matatall, Twitter

RSVP:http://owaspaustinmarch.eventbrite.com/?s=13784243


Austin Security Professionals Happy Hour

When: Tuesday, April 11th, from 5-7 pm

What: Austin Security Professionals Happy Hour Sponsored by Trustwave Spiderlabs

Where: Sherlocks Baker Street Pub and Grill.

RSVP: http://aprilsecurity.eventbrite.com/?s=13502311


August OWASP Austin Chapter Meeting

When:March 26th from 11:30am - 1:00pm

What:OWASP Austin Chapter Meeting

Topic:Why UPnP is Awesome and Terrifying

Who:Dan Crowley

RSVP: http://www.eventbrite.com/event/5856381595/eorgf


Austin Security Professionals Happy Hour

When: Tuesday, February 19th, from 5-7 pm

What: Austin Security Professionals Happy Hour Sponsored by Rapid 7

Where: Sherlocks Baker Street Pub and Grill.

RSVP: http://www.eventbrite.com/event/5855308385


August OWASP Austin Chapter Meeting

When:February 26th from 11:30a - 1:00p

What:OWASP Austin Chapter Meeting

Topic: big data real-time security analytics

Who: Lars Ewe

RSVP:http://owasp-feb.eventbrite.com/


Austin Security Professionals Happy Hour

When:Thursday, February 21st, from 5-7pm

What:Austin Security Professionals Happy Hour Sponsored by SOS Security and Palo Alto Networks

Where: Sherlocks Baker Street Pub and Grill.

RSVP:http://infosecfeb.eventbrite.com/


August OWASP Austin Chapter Meeting

When: January 29th from 11:30a - 1:00p

What: OWASP Austin Chapter Meeting

Topic: Data events, or why security is cloudier than you think.

Who: Wendy Nather

Cost: Free, of course

Food: Oh yeah, Taco Deli time!

Location: National Instruments, 11500 N. Mopac.Building C

RSVP: http://owaspjanuary.eventbrite.com/


Austin Security Professionals Happy Hour

When January 17th, 5:00pm - 7:00pm

What Austin Security Professionals Happy Hour, Sponsored by Trusteer

Where Sherlocks

Back to Top


2012


When: September 25th, 11:30am - 1:00pm

Topic: Vulnerability Spidey Sense (Sponsored by SolarWinds)

Who: Daniel Crowley and Chris Vinecombe

Synopsis:This talk will cover scenarios which raise red flags for us, why, and how to develop your own sense of intuition.

Cost: Free

:RSVP: http://www.eventbrite.com/event/4319523812


When: September 13th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, Sponsored by Mandiant

Where: Sherlocks


When: August 28th, from 11:30a-1:00pm

Topic: OAUTH 2.0 Security

Who: Tom Brown develops user-centric identity software with Ruby, contributes to the opentransact protocol and participates at the Internet Identity Workshop. Tom has contributed code for federated and delegated identity to several open source projects as herestomwiththeweather on github. Prior, Tom developed network and security code for companies including VXtreme, Microsoft, Yodlee, WholeSecurity and BiometricAccess.

Cost: Free, of course

Food: Oh yeah, Taco Deli time!

Location: National Instruments, 11500 N. Mopac.Building C

RSVP: http://www.eventbrite.com/event/4064986484




When: August 9th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, Sponsored by Slait Consulting.

Where: Sherlocks


When: July 31st, 11:30am - 1:00pm

Topic: Lighting Talks

Who: Doug Landoll,Matt Malone, Shared Secrets-David Hughes,The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems - Josh Sokol (@joshsokol),WAF evasion with SSL - David Lister,Phil Beyer (@pjbeyer),#securityisms - The Real APT! - Brian Engle (@brainaengle),Re-integration: Don't fear closed systems - Michael Cote (@cote),Selling Security - Bill Kasper (aka The Hacker Vaccine) (@hackervaccine),Be mean to your code! - James Wickett (@wickett),Implementing Social Sign On(SSO+) in an Large Enterprise Single Sign On(SSO) Ecosystem - Jay Hook

Synopsis: A collection of 5 minute talks by various OWASP members. 20 slides, 15 seconds each.

Cost: Free, of course

Food: Oh yeah, Taco Deli time!

Location: National Instruments, 11500 N. Mopac.Building C

RSVP: http://www.eventbrite.com/event/3873941062


When: July 12th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, Sponsored by Security Innovation.

Where: Sherlocks


When: June 26th, from 11:30a-1:00pm

Topic: Measuring the Root Shell Index

Who:HD Moore

Synopis: Determining the realistic scope of a particular advisory or vulnerability using large scale reconnaissance with analytics.

Cost: Free, of course

Food: Oh yeah, Taco Deli time!

Location: National Instruments, 11500 N. Mopac.Building C

RSVP: http://www.eventbrite.com/event/3697966718


When: June 14th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, Sponsored by WhiteHat Security.

Where: Sherlocks


When: May 29th, 1:00pm-5:00pm

Topic:Secure Coding BootCamp

Who: Jim Manico

Synopsis:This bootcamp provides essential web application security training for web application software developers and architects. The class is a combination of lecture and code review. Participants will not only learn the most common threats against web applications, but more importantly they will learn how to also fix the problems via control-based defensive code samples and review. Topics such as Authentication, Access Control, Crypto, Cross Site Request Forgery, Cross Site Scripting, Injection Defense, Clickjacking Defense, Session Management and other topics will be addressed from a defensive point-of-view.

Cost: Free

Location: National Instruments, 11500 N. Mopac.Building

RSVP:http://www.eventbrite.com/event/3418744557


When: May 29th, 11:30am-1:00pm

Topic: Closing the window of opportunity"

Who: Jim Manico and Siri De Licori of WhiteHat Security

Synopsis:Closing the window of opportunity” and will be discussing the state of web application security based on recent statistics drawn from WhiteHat’s database of thousands of sites under service and the characteristics of a program that can help organizations develop a strong web security posture and reduce or eliminate the opportunities attackers have to compromise their applications.


Cost: Free, of course

Food: Oh yeah, Taco Deli time!

Location: National Instruments, 11500 N. Mopac.Building

RSVP: http://www.eventbrite.com/event/3418570035


When: May 10th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, May 10th, Sponsored by Rapid7.

Where: Sherlocks


When: April 24th, 11:30a-1:00pm

Topic: Anatomy of Advanced Email Attacks (Aaron Estes, Cigital)

Abstract: Email attacks comprise an overwhelming majority of the daily attacks on modern enterprise. The leading mitigation strategy is a combination of user awareness training and email filtering. This talk outlines a proposed solution that brings email risk and awareness information down to the client level in order to better equip end users in making secure decisions when using email.

Anti-spam capabilities have been incorporated into email client applications for some time now. These are usually in the form of junk boxes or email filters that attempt to identify spam or other unwanted email. Most anti-spam clients use bayesian filtering to determine whether an email is spam or not spam, typically using word combinations and statistical analysis to make a determination. Many experts also advise wary email users to examine the raw email headers in order to attempt to find evidence of an email attack. While this is not bad advise, it is however a highly technical process and one cannot expect the majority of email users to be able to carry out and act upon this advice. This is the problem that the proposed Advanced Email Risk Classification and Recipient Decision Assistance solution attempts to solve. The operating name for this solution is Phish Finder.

Who: Aaron Estes, Cigital

Aaron Estes came to Cigital from Lockheed Martin where he spend 10 years in the software engineering and security engineering fields. He began his information security career as a system security engineer on the F-35 program. Aaron has spent the last 5 years as a security engineer and penetration tester for Lockheed Martin Enterprise Business Services specializing in application penetration testing and user awareness/social engineering testing. Aaron is also a professor at Southern Methodist University in Dallas where he teaches senior and graduate level security courses. He has nearly completed his Doctor of Engineering in Software Engineering at Southern Methodist University, has a Masters in Software Engineering from Southern Methodist University and has a Bachelors in Computer Science from University of Texas. Aaron is a Certified Information System Security Professional.

Cost: Always Free

RSVP: http://www.eventbrite.com/event/3182987401

When: June 14th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, May 10th, Sponsored by WhiteHat Security.

Where: Sherlocks


When: May 29th, from 11:30a-1:00pm


Topic: Closing the window of opportunity"(Jim Manico and Siri De Licori of WhiteHat Security)

Abstract:Closing the window of opportunity” and will be discussing the state of web application security based on recent statistics drawn from WhiteHat’s database of thousands of sites under service and the characteristics of a program that can help organizations develop a strong web security posture and reduce or eliminate the opportunities attackers have to compromise their applications.

This will be a product agnostic presentation, of course, though we will be using WhiteHat data (along with Jim’s long experience) to present the problems we see and how we can go about solving them.

Who: Jim Manico and Siri De Licori of WhiteHat Security

Siri De Licori is a Product Manager for WhiteHat Security. He led the development of a pre production Dynamic Analysis Software Testing (DAST) service line, and is working to bring out product enhancements which take greater advantage of WhiteHat’s historical scanning and vulnerability data and integrates DAST and SAST results. He has also worked with Jeremiah to produce statistics for a number of his quarterly reports and whitepapers.

Siri comes from a background of 10 years of development. He worked with a small software company working on an early rapid application development tool that produced code from UML diagrams, a small nonprofit on a tool to permit English and Chinese speakers to study the bible in its original tongues without learning those ancient languages, and a couple Fortune 500 companies helping them process, utilize, and analyze their financial data. Before being recruited into product management he specialized in building database systems and data analytics.

Siri works at WhiteHat’s home office in Santa Clara and lives in San Francisco.

Jim Manico is the VP of Security Architecture for WhiteHat Security. Jim is part of the WhiteHat Static Analysis Software Testing (SAST) team, leading the data-driven, Web service portion of the SAST service. He also provides secure coding and developer awareness training for WhiteHat using his 7+ years of experience delivering developer-training courses for SANS, Aspect Security and others.

Jim brings 15 years of database-driven Web software development and analysis experience to WhiteHat. He has helped deliver Web-centric software systems for Sun Microsystem, Fox Media (MySpace), several Fortune 500's, and major NGO financial institutions. He holds expertise in a variety of areas, includingWeb-based J2EE development, thick-client and applet-based Java applications, hybrid Java, C++ and Flash applications, Web-based PHP applications, rich-media Web applications using advanced Ajax techniques, Python REST Webservice development, and Database technology using Oracle, MySQL and Postgres.

A host of the OWASP Podcast Series, Jim is the committee chair of the OWASP Connections Committee and is a significant contributor to various OWASP projects.

Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.

Cost: Free

RSVP: http://www.eventbrite.com/event/3418570035



When: May 10th, 5:00pm-7:00pm

What: Austin Security Professionals Happy Hour, May 10th, Sponsored by Rapid7.

Where: Sherlocks


When: April 24th, 11:30a-1:00pm

Topic: Anatomy of Advanced Email Attacks (Aaron Estes, Cigital)

Abstract: Email attacks comprise an overwhelming majority of the daily attacks on modern enterprise. The leading mitigation strategy is a combination of user awareness training and email filtering. This talk outlines a proposed solution that brings email risk and awareness information down to the client level in order to better equip end users in making secure decisions when using email.

Anti-spam capabilities have been incorporated into email client applications for some time now. These are usually in the form of junk boxes or email filters that attempt to identify spam or other unwanted email. Most anti-spam clients use bayesian filtering to determine whether an email is spam or not spam, typically using word combinations and statistical analysis to make a determination. Many experts also advise wary email users to examine the raw email headers in order to attempt to find evidence of an email attack. While this is not bad advise, it is however a highly technical process and one cannot expect the majority of email users to be able to carry out and act upon this advice. This is the problem that the proposed Advanced Email Risk Classification and Recipient Decision Assistance solution attempts to solve. The operating name for this solution is Phish Finder.

Who: Aaron Estes, Cigital

Aaron Estes came to Cigital from Lockheed Martin where he spend 10 years in the software engineering and security engineering fields. He began his information security career as a system security engineer on the F-35 program. Aaron has spent the last 5 years as a security engineer and penetration tester for Lockheed Martin Enterprise Business Services specializing in application penetration testing and user awareness/social engineering testing. Aaron is also a professor at Southern Methodist University in Dallas where he teaches senior and graduate level security courses. He has nearly completed his Doctor of Engineering in Software Engineering at Southern Methodist University, has a Masters in Software Engineering from Southern Methodist University and has a Bachelors in Computer Science from University of Texas. Aaron is a Certified Information System Security Professional.

Cost: Always Free

RSVP: http://www.eventbrite.com/event/3182987401

When:April 19th, from 5pm-7pm

What: Austin Security Professionals Happy Hour, April 19th, Sponsored by Robert Half International.

Where: Sherlocks


When: March 27th, 1:00pm-5:00pm

We will be writing Cucumber acceptance and security tests while we build an app as a group. In the lab, we will have several groups working together writing cucumber tests and code along the way. Even if you are not a developer or security expert, this event is for you.

Who: Mani Tadayon and Tin Zaw

At AT&T Interactive, Mani is part of the team responsible for YP.com. Mani studied foreign languages at UC Berkeley, computer science at Cal State Hayward and is now a graduate student in Geography at Cal State Northridge. He has been developing web applications using open source tools for over 10 years. Currently, his focus is on behavior-driven development with Ruby.

Tin is currently the president of OWASP Los Angeles chapter. During day time, he works with Mani at AT&T Interactive as an application security architect. Before AT&T, he worked as a software engineer, manager and researcher at QUALCOMM, Inktomi (now Yahoo!), Symantec, MySpace and a Sequoia funded Internet infrastructure startup.Tin holds CISSP and CSSLP certifications from (ISC)2, MS in Computer Science from University of Southern California, and working on an MBA from USC.

Cost: Free, but limited to 30 seats.

RSVP: http://www.eventbrite.com/event/3183041563


When: March 27th, 11:30a-1:00pm

Topic: Cucumber and friends: tools for security that matters

Behavior-Driven Development (BDD) helps focus software development on delivering prioritized, verifiable business value by providing a common vocabulary that spans the divide between Business and Technology. Cucumber is a widely used tool in Ruby community for implementing BDD and it executes plain-text functional descriptions as automated tests. In this talk, Mani and Tin will discuss how Cucumber and related tools can be used to define and verify security features that matter in software.

Who: Mani Tadayon and Tin Zaw

At AT&T Interactive, Mani is part of the team responsible for YP.com. Mani studied foreign languages at UC Berkeley, computer science at Cal State Hayward and is now a graduate student in Geography at Cal State Northridge. He has been developing web applications using open source tools for over 10 years. Currently, his focus is on behavior-driven development with Ruby.

Tin is currently the president of OWASP Los Angeles chapter. During day time, he works with Mani at AT&T Interactive as an application security architect. Before AT&T, he worked as a software engineer, manager and researcher at QUALCOMM, Inktomi (now Yahoo!), Symantec, MySpace and a Sequoia funded Internet infrastructure startup.Tin holds CISSP and CSSLP certifications from (ISC)2, MS in Computer Science from University of Southern California, and working on an MBA from USC.

Cost: Always Free

RSVP: http://www.eventbrite.com/event/3147433057



When: March 8, 2012, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Fireeye)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: February 28, 2012, 11:30am - 1:00pm


Topic: Testing From the Cloud: Is the Sky Falling?

More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.


Who: Matt Tesauro (Rackspace)

Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.


Cost: Always Free

RSVP: http://www.eventbrite.com/event/2967474797



Topic: Half-Day Threat Modeling Seminar with John Steven of Cigital

How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management.

Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.

Who: John Steven(Cigital)

John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

Where: Microsoft Technology Center, Quarry Oaks 2, 10900 Stonelake Blvd

When: February 9th, from 1:00pm to 4:30pm

Cost:

The cost is free, but seating is limited, so register soon at the below link!

http://austinthreatmodel2012.eventbrite.com/



When: February 9th, 2012, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Cigital)

Where: Weirdos

Back to Top


2011


When: October 28, 2011, 8:00am - 5:00pm

Topic: Lonestar Application Security Conference (LASCON)

Who Should Attend LASCON 2011:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security

Where: Norris Conference Center, Austin, TX


When: September 29, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by HP/Fortify)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: September 27, 2011, 11:30am - 1:00pm

Topic: STAAF: A FLOSS Framework for Scalable and Sharable Android App Analysis

With no end of Android malware anywhere in sight, it’s no wonder that so many Android analysis tools have been released lately. While each of these powerful tools makes great strides in finding artifacts in an individual application, they’re typically not designed to scale beyond a few thousand selected samples at most. In order to effective insight into android applications researchers need to be be able to analyze a substantial subset of the 300k+ applications in the official store, all of the applications across the disparate unofficial Android stores and repositories, as well as ad-hoc manually-submitted applications. This was the motivation for STAAF, a Scalable Tailored Application Analysis Framework. STAAF was designed to allow an analyst to easily add/remove/configure various analysis modules, then process large numbers of applications at once or over time, then share the raw data, processed data, and results with other organizations. In this presentation I’ll cover the STAAF Architecture, the current status and available implementation, and if circumstances permit, show a quick demo with a handful of applications.

Who: Ryan Smith (Praetorian)

At Praetorian, Ryan's current focus is on the development of technology and systems in support of computer network defense, attack, and exploitation. Prior to joining Praetorian, Ryan Smith was an Associate Staff member of the Information Systems Technology Group at MIT Lincoln Laboratory. His previous work at Lincoln Labs was in the code analysis group, in which he focused on the development of a prototype tool to automate the malware analysis process using information flow and virtual machine introspection. Prior to Lincoln Laboratory, Mr. Smith worked at 21st Century Technologies and Applied Research Labs in Austin, TX, and PricewaterhouseCoopers in Dallas, TX. Previous work has included graph-based network attack correlation, steganography, netflow traffic analysis, vulnerability and risk analysis, and identity management.

Ryan has been an active member of the Honeynet Project since 2002, in which he participated in the testing and development of various honeynet technologies, and was invited to give several talks on the usefulness of honeynets for strengthening network security as well as research. While at the University of Texas, Ryan was the head of the local information security group on campus, and the organizer of the local cyber "capture the flag" exercise. As a result of this position, he was invited to a NFS funded workshop to determine the efficacy of a National Collegiate Cyber Defense Exercise, and subsequently assisted in the organization of the inaugural Collegiate Cyber Defense Competition, which now hosts over 50 Universities in 8 regional qualifiers and a finalist round in San Antonio. While at the University of Texas, Ryan also led a team of graduate students to design and implement a prototype of an automated polymorphic shellcode analyzer to extract the system calls and parameters of arbitrarily obfuscated Windows shellcode.

Industry designations include the Certified Information Systems Security Professional (CISSP). Ryan received a B.S in Electrical Engineering from The University of Texas in Austin, where he focused on information assurance and network communications. Ryan received a M.S. in Security informatics from Johns Hopkins, where he focused on network and systems security as well as privacy and technical public policy.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on Eventbrite


When: August 30, 2011, 11:30am - 1:00pm

Topic: Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data Exfiltration

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.

In this session we will cover:

  • Prevalence of backdoors and malicious code in third party attacks
  • Definitions and classifications of backdoors and their impact on your applications
  • Methods to identify, track and remediate these vulnerabilities

Who: Joe Brady (Veracode)

Joe Brady is a Senior Solutions Architect at Veracode with over 25 years of experience in software application development and security. His professional experience includes advising customers on data at rest encryption solutions at Credant Technology, IT risk and portfolio management at Prosight (now Oracle), and application software development as a consultant and software development manager for various companies. Joe began programming as a physics undergrad and developed early microprocessor based instrumentation at Cornell, where he received a Master of Science degree in Applied and Engineering Physics. He has had an interest in software security, and backdoors in particular, since reading “Reflections on Trusting Trust” by Ken Thompson where he describes planting what we now call a backdoor in the UNIX compiler.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

Protecting Your Applications From Backdoors


When: August 18, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Set Solutions)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: July 14, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by BlueCoat)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: June 28, 2011, 11:30am - 1:00pm

Topic: Introduction to the OWASP Secure Coding Practices Quick Reference Guide

The OWASP Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy to read and digest.

The focus is on secure coding requirements, rather than on vulnerabilities and exploits. In this respect it is targeted more precisely for the development community, as opposed to the security community.

This presentation will introduce this OWASP project and discuss some of the core concepts and principles of the requirements.

Who: Keith Turpin CISSP, CSSLP, CRISC (Boeing)

Keith leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations.

Keith represents Boeing on the International Committee for Information Technology Standard's cyber security technical committee and serves as a U.S. delegate to the International Standards Organization's sub-committee on cyber security.

Keith is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association.

He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics.

Keith holds a BS in Mechanical Engineering and MS in Computer Systems.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well.

RSVP on Eventbrite


When: June 17, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Rapid7)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: June 17, 2011, 1:30pm - 5:00pm

Topic: Penetration Testing with Metasploit Half-Day Seminar

Who: Raphael Mudge

Where: Microsoft Technology Center (Quarry Oaks 2, 10900 Stonelake Blvd, Suite 225, Austin, TX 78759)

Penetration Testing with Metasploit


When: May 31, 2011, 11:30am - 1:00pm

Topic: Why Hackers.org Doesn't Get Hacked

Ha.ckers.org has suffered nearly every attack a website can. These attacks include robots, sophisticated web-based attacks, brute force, denial of service, and network based attacks. This speech will explain the other side of protecting high risk websites - the configurations, operating system, and network.

Who: James Flom (SecTheory)

Mr. Flom has been working in the computer industry for the past sixteen years and has spent the last twelve heavily involved in computer and network security. As lead operations engineer of Pilot Network Services' security department he researched network and computer threats on a daily basis protecting some of the largest companies and organizations in the world. He designed and implemented what was believed to be at the time, the largest network intrusion detection system in the world, protecting over half a million computers.

Mr. Flom later joined Digital Island (acquired by Cable & Wireless and merged with Exodus), where he created new product offerings for the Security Operations Center he was brought on to build. After the merger with Exodus James joined the Cyber Attack Tiger Team and assisted with the detection and recovery of several global network security compromises. Mr. Flom later became the director of consulting services for Kliosystems before co-founding SecTheory. He is a member of IACSP.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Why Ha.ckers.org Doesn't Get Hacked


When: May 5, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by FireEye)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: April 26, 2011, 11:30am - 1:00pm

Topic: Rugged Dev: Building Reliability and Security Into Software

Complex systems fail over time and the larger they are, the more likely they are to fail in unforeseen ways. Come hear about the best practices we used and lessons learned when we built very large scale cloud-based products. Once exposed to the Internet, complex multi-tenant Web systems encounter a wide range of input from a variety of sources but still have to be long running and behave resiliently in the face of failures. We will examine 3 implementations of Rugged best practices to design and test your software for ruggedness.

Who: James Wickett (National Instruments)

James graduated from the University of Oklahoma in 2004 with a BBA in MIS, where he also ran a Web startup company. He joined the IT division of National Instruments, where he helped run the NI Web site, ni.com, for several years. In 2007 he moved on to lead the Web division of a rapidly growing local publisher, Community Impact. In 2010, he came back to NI, this time to the LabVIEW R&D group, where he leads up security and operations for several cloud-based SaaS products. Over the last several years, James has been involved in the Austin chapter of OWASP as the Chapter President (2007-2009) and as the Chapter VP (2010-present). With his involvement in OWASP, he also co-chaired the Lonestar Application Security Conference (LASCON) which was the first OWASP conference in Austin.

He is a security expert, bearing CISSP, GCFW, GWAS, and CCSK certifications.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well.


When: April 14, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Veracode)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: March 29, 2011, 11:30am - 1:00pm

Topic: OWASP ROI: Optimize Security Spending Using OWASP

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.

Who: Matt Tesauro (Praetorian)

Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Praetorian, Matt was a Security Consultant at Trustwave's Spider Labs. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.

Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.

Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.

Where: National Instruments, 11500 N Mopac, Building C


When: March 10, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Infoblox)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: February 22, 2011, 11:30am - 1:00pm

Topic: Supercharged Password Cracking Techniques

In the past 2-3 years there have been many important discoveries/releases in the world of password cracking. Between massive password leaks (like RockYou, Gawker, etc) and the release of many free tools that take advantage of the processing power of GPU cards, there are many new techniques/tools/tricks that security professionals should be taking advantage of while cracking passwords. But, by default tools you download (Like John the Ripper) do not take advantage of this.

Over the past 12 years, Rick has been collecting password hashes from various large corporations (during authorized penetration tests). For years now, he has been cracking these passwords, and discovering more and more patterns that users are using. But the majority of password cracking tools out there (Such as John the Ripper, L0phtCrack, etc) do not take advantage of these "human weaknesses" in password creation. So far Rick has cracked almost 4 million hashes from inside corporate America, and an additional 5+ million from sources over the Internet.

During this talk Rick will talk about the current state of password cracking by walking the attendees through a PWDUMP output file containing 49000+ real "complex" NTLM passwords) how the default rule-set provided by John the Ripper can be improved to crack tens of thousands of additional passwords. Wordlists/Dictionaries will be shared that can help you better crack passwords (these wordlists were created based on what users are _actually_ doing in Fortune 500 environments). New "rules" will be given out that were created to specifically attack the patterns that users are choosing.

This is relevant to OWASP, because the applications we are developing/securing almost always have logins and passwords that protect them. But, unlike Operating Systems, our web applications do not usually have strict password requirements that users have to meet in order to create an account. We do this as to not scare away users; but we are placing our OWN systems at risk.

Even now, sites like Google/Twitter/Facebook only warn the users about poor passwords, or have a list of 500 passwords that are not allowed. This will _not_ be the case in 10 years. Lets address this problem now.

The only way to address the problem, is to first become aware of how bad our users are at choosing passwords , and what we can do (as developers or security professionals) to help protect our users from themselves.

Who: Rick Redman (Korelogic)

During his 12 years as a security practitioner, Rick has delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. He serves as KoreLogic's subject matter expert in advanced password cracking systems and coordinated the "Crack Me if You Can" Contest at DefCon 2010. Additionally, Rick presents at a variety of security forums such as the Techno-Security Conference, ISSA Chapters and AHA (Austin Hackers Anonymous). Rick also provides technical security training on topics such as web application security. Rick also delivers web application security training to management, developers and security staff. Rick has served as a member of a penetration testing tiger team supporting Sandia National Laboratories. Mr. Redman is a graduate of Purdue University with a degree in Computer Science from the COAST/CERIAS program under Eugene Spafford. Rick started performing application layer security tests of applications in 2000, before inline web-proxies existed.

Where: National Instruments, 11500 N Mopac, Building C

Supercharged Password Cracking Techniques


When: February 10, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Cisco)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)



When: January 25, 2011, 11:30am - 1:00pm

Topic: Smart Phones with Dumb Apps

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

Who: Dan Cornell (Principal, Denim Group)

Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization's technology team overseeing methodology development and project execution for Denim Group's customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. In addition, Dan Cornell performed as the CTO of BrandDefense, architecting and developing their cutting-edge intellectual property protection technologies. Over a one year period of development he brought their web-based intellectual property protection technologies through three major versions, surpassing the applications of well funded and entrenched competitors. Previously he was the Vice President, Global Competency Leader for Rare Medium's Java and Unix competency center, based in San Antonio, Texas with development centers in New York, San Francisco, Atlanta and Sydney, Australia. He directed the development of best practices and policy for the cornerstone of Rare Medium's technical development arm, specializing in server-side Java application development. Prior to its acquisition by Rare Medium, Cornell was a founder and Vice President of Engineering for Atension, Inc. where he led the technical development team and served as the architect for the company's internal engineering practices. In March 1999, Texas Monthly magazine named Cornell and his partners, Sheridan Chambers and Tyson Weihs, to its list of 30 "Multimedia Whizzes Under Thirty" doing business in Texas.

Where: National Instruments, 11500 N Mopac, Building C


When: January 13, 2011, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Rapid7)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

Back to Top


2010


When: October 29, 2010, 8:00am - 5:00pm

Topic: Lonestar Application Security Conference (LASCON)

Who Should Attend LASCON 2010:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security

Where: Norris Conference Center

Cost: $100 for OWASP members, $150 for non-members (includes 1 year OWASP membership)


LASCON 2010 Schedule



When: September 28, 2010, 11:30am - 1:00pm

Topic: Technology and Business Risk Management: How Application Security Fits In

This presentation demonstrates how important application security is to the overall stability and security of the infrastructure and the ultimately, the business. Presented from the Information Security Officer/Risk Manager point of view, it shows how a strong information security program reduces levels of reputational, operational, legal, and strategic risk by limiting vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on the top concerns of risk managers and how application security fits into the overall risk management process. The audience will be given recommendations on how to improve cost effectiveness and efficiency to achieve business, security, audit, and compliance objectives relative to applications.

Who: Peter Perfetti (Impact Security LLC)

Mr. Perfetti has been working in information security for fifteen years. He has been involved in IT Security for the financial services industry for ten years where he has worked as an Information Security Officer as well as having been responsible for vulnerability and threat management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager of Systems Administration and was the Director of IT Risk Management for the National Basketball Association. He has a broad range of experience in both operations and security. Mr. Perfetti provided governance and guidance over risk and compliance issues for the Americas region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities were primarily to manage the risk for infrastructure related technology and operations. Other duties included audit, business continuity, investigations, and security operations oversight. Most recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving high performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention, and Recovery; as well as developing, enhancing, and implementing Security and Risk Management programs.

Where: National Instruments, 11500 N Mopac, Building C

Technology and Business Risk Management: How Application Security Fits In


When: September 16, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by F5 and Accuvant)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: August 31, 2010, 11:30am - 1:00pm

Topic: Application Assessments Reloaded

Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration-testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration-testing be re-used and turned into something innovative?

Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration-testing tools.

Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?

This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

Who: Andre Gironda

Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company, worked as an appsec consultant for many years, and recently joined a large online gaming company. He is known for his quirky mailing-list posts and blog comments -- and at one time wrote for tssci-security.com.

Where: National Instruments, 11500 N Mopac, Building C

Application Assessments Reloaded


When: August 12, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by WhiteHat Security)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: July 27, 2010, 11:30am - 1:00pm

Topic: Data Attack Anatomy: Stopping Bad Guys & Satisfying Auditors with Pragmatic Database Security

Corporate databases and their contents are under siege. From outside the organization, criminals can exploit web applications to steal confidential information for financial gain. From the inside, databases can be compromised by employees and contractors with malicious intent. SQL Injection, platform vulnerabilities, buffer overflows ... databases are vulnerable to a myriad of threats and attack vectors.

In this session John Marler, a Senior Security Engineer with Imperva, will discuss the challenges of data security requirements imposed by today’s regulations, how organizations are achieving success and why organizations should do more than comply.

Who: John Marler (Imperva)

John is a Senior Security Engineer with Imperva and has a decade of experience in designing, deploying and managing large infrastructure and network security solutions for Fortune 500 enterprises. After seven years with Dell IT, John moved into a network security consulting role for an IBM partner and went on to evangelize network security consolidation and simplification with Crossbeam Systems. Currently he is a senior security engineer with Imperva and specializes in web application and database security.

John is a graduate of Texas A&M University with a BBA in Information and Operations Management and holds multiple industry certs including Cisco networking & design specializations, CheckPoint firewall, and TippingPoint IPS.

Where: National Instruments, 11500 N Mopac, Building B


When: July 15, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Praetorian)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: June 29, 2010, 11:30am - 1:00pm

Topic: AJAX Security

We will discuss what AJAX is, and how the different technologies combine to make it up. We will discuss some of the unique features, toolkits, and coding considerations, as well as security pitfalls, and ways to protect and detect them.

  • Introduction to AJAX
  • Security Issues with architecture
  • Toolkits
  • Toolkit Security Concerns
  • Bridges and Issues
  • Attacking AJAX
  • Defending AJAX
  • Securing the Code
  • Best Practices
  • Other Issues and Concerns
  • Q and A

Who: Brad Causey

Brad Causey is an active member of the security and forensics community world­wide. Brad tends to focus his time on Web Application security as it applies to global and enterprise arenas. He is currently employed at a major international financial institution as a security analyst. Brad is the President of the OWASP Alabama chapter, a member of the OWASP Global Projects Committee and a contributor to the OWASP Live CD. He is also the President of the International Information Systems Forensics Association chapter in Alabama. Brad is an avid author and writer with hundreds of publications and several books. Brad currently holds certifications in the following arenas: MCSA, MCDBA, MCSE, MCT, MCP, GBLC, GGSC­100, C|EH, CIFI, CCNA,IT Project Management+, Security+, A+, Network+, CISSP, CGSP.

Where: National Instruments, 11500 N Mopac, Building C


When: June 17, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Set Solutions)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: May 25, 2010, 11:30am - 1:00pm

Topic: Javascript Hijacking

This attack is an offshoot of Cross-Site Request Forgery (CSRF) and is common when AJAX is involved. It was well publicized in 2007 when the gmail contact list was found by Jeremiah Grossman to be vulnerable to it. This presentation will include a technical explanation of the attack, a demonstration, and a discussion.

Who: Ben Broussard (UT Austin)

Ben Broussard is a developer for the University of Texas at Austin with an academic background in mathematics, specifically cryptography. At UT he has translated and prioritized web application attacks in relation to the environment that the developers are working in. Ben is currently leading a web application security focused team of developers from different departments around campus.

Topic: Attacking Intranets from the Web Using DNS Rebinding

DNS Rebinding works by implementing code that circumvents the web browser's same-origin policy and penetrates your private network. The exploit was popularized by RSnake in 2009. This presentation will explore how DNS Rebinding works, a walk-thru of a running demo, and what it means to your organization.

Who: James Wickett (National Instruments)

James is the current Vice President of the Austin OWASP chapter and the former President. He works for National Instruments as a Web Systems Engineer in the R&D department. Current certifications: CISSP, GCFW, GWAS

Where: National Instruments, 11500 N Mopac, Building C


When: May 20, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by BlueCoat)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: April 27, 2010, 11:30am - 1:00pm

Topic: Automated vs. Manual Security: You can't filter The Stupid

Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.


Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.

Who: Charles Henderson (Trustwave)

Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.

Where: National Instruments, 11500 N Mopac, Building C


When: April 22, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Fortify)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: March 30, 2010, 11:30am - 1:00pm

Topic: Enterprise Application Security Practices: Real-world Tips and Techniques

How can you re-energize your company’s or institution’s commitment to secure development practices as part of the SDLC, while keeping costs in check? Dell's Security Consulting team created an application security practice with the help of several internal teams in legal, enterprise architecture, vendor management, privacy, compliance, and network engineering. Team members Addison Lawrence, Chad Barker, and Mike Craigue will discuss some of the challenges and opportunities they have faced over the last three years, ramping from 27 project engagements in 2007, to 726 project engagements in 2009. In this session, we will discuss the creation of policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. Also included: awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, penetration testing, exception management, and executive escalations. Tell us what we might do to improve our program and increase our effectiveness; discuss how you could adapt parts of this approach to your own program.

Who: Addison Lawrence, Chad Barker, and Mike Craigue (Dell, Inc.)

Addison Lawrence has 10 years of experience at Dell with leadership responsibilities in database and data warehouse security, PCI, SOX, and Dell Services security. He is a part of the Cloud Security Alliance team developing their Controls Matrix. Previously he worked for 13 years at Mobil Oil (now ExxonMobil) as a software developer and DBA. He holds an MBA from Texas A&M University and a BS in Computer Science from Texas A&M-Corpus Christi, and is a certified CISSP.

Chad has worked at Dell for 10 years primarily in software development. Chad has led global development standardization initiatives including release management automation and static source code analysis. He holds a BS in Information Systems from the University of Texas at Arlington.

Before joining Dell’s information security team 5 years ago, Mike worked as a database and web application developer at Dell and elsewhere in central Texas. He’s responsible for Dell’s application security strategy globally, and focuses primarily on Dell’s ecommerce site. He holds a PhD in Higher Education Administration / Finance from the University of Texas-Austin, and has the CISSP and CSSLP certifications.

Where: National Instruments, 11500 N Mopac, Building C

Enterprise Application Security Practices: Real-world Tips and Techniques


When: March 18, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Denim Group)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: February 23, 2010, 11:30am - 1:00pm

Topic: Advanced Persistent Threat - What Does it Mean for Application Security?

Targeted attacks, slow moving malware, foreign intelligence/government sponsored hackers, corporate/industrial espionage – all fun and games? Not really. These vectors are occurring today, and the threat vector has bled into the application space. What do you have to contend with once it passes through the firewall.

Who: Matt Pour (Blue Coat Systems)

Matt is a Systems Engineer for Blue Coat Systems. Utilizing over ten years of information security experience, Matt provides subject matter expertise of ensuring security effectiveness while addressing business controls and requirements to a multitude of industries regardless of size and scope. Previous to Blue Coat Systems, Matt Pour was a Security Solutions Architect and X-Force Field Engineer for IBM ISS.

Where: National Instruments, 11500 N Mopac, Building C

Advanced Persistent Threat - What Does it Mean for Application Security?


When: February 11, 2010, 5:00pm - 7:00pm

What: Austin Security Executives Happy Hour (Sponsored by WhiteHat Security)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)


When: January 26, 2010, 11:30am - 1:00pm

Topic: Reducing Your Data Security Risk Through Tokenization

The first Austin OWASP meeting of the year is on a really interesting topic that many of you have probably never thought about: Tokenization. The concept is simple...use tokens to represent your data instead of passing around the data itself. For example, why would you give a customer account representative a full credit card number when all they need to do their job is the last four digits? Using tokenization, we are able to reduce the data security risk by limiting the number of systems that actually store the data. This extremely simplifies audits for regulations like SOX, HIPAA, and PCI DSS. This presentation will cover the business drivers for data protection, what tokenization is, and how to implement it. If your organization has data to protect, then you're going to want to check out this presentation.

Who: Josh Sokol (National Instruments)

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Where: National Instruments, 11500 N Mopac, Building C

Reducing Your Data Security Risk Through Tokenization


When: January 14, 2010, 5:00pm - 7:00pm

What: Austin Security Executives Happy Hour

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

Back to Top


2009


When: November 17, 2009, 11:30am - 1:00pm

Topic: Tracking the progress of an SDL program: lessons from the gym

Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this presentation we’ll discuss metrics used to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally.

Who: Cassio Goldschmidt (Symantec)

Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

Where: National Instruments, 11500 N Mopac, Building C


When: October 27, 2009, 11:30am - 1:00pm

Topic: Vulnerability Management In An Application Security World

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.

This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Who: Dan Cornell (Denim Group)

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.

Where: National Instruments, 11500 N Mopac, Building C


When: September 29, 2009, 11:30am - 1:00pm

Topic: OWASP ROI: Optimize Security Spending using OWASP

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.

Who: Matt Tesauro

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security, developing a Secure SDLC and launching a two-year application security program for Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Where: National Instruments, 11500 N Mopac, Building C

OWASP ROI: Optimize Security Spending using OWASP


When: August 25, 2009, 11:30am - 1:00pm

Topic: Threat Modeling

In this talk, Michael will discuss Microsoft SDL Threat Modeling, how to apply it to design more secure applications and finally, will show a demo and hold a short lab exercise.

Who: Michael Howard, PRINCIPAL Security Program Manager, Microsoft's Security Engineering Team

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft’s software.

Howard began his career with Microsoft in 1992 at the company’s New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software. In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft’s next-generation web server, before moving to his current role in 2000.

Howard is an editor of IEEE Security & Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and design, Howard is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and his most recent release, Writing Secure Code for Windows Vista

Where: National Instruments, 11500 N Mopac, Building C

Threat Modeling


When: July 28, 2009, 3:30pm - 5:00pm

Topic: Slowloris: A DOS tool for Apache

Slowloris was designed and developed as a low bandwidth denial of service tool to take advantage of an architectural design flaw in Apache web servers. It was quickly picked up and used by Iranian government protesters. This speech will cover the technical issues around the design flaw, and the events prior to, during and since the release of the tool.

Who: RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

Where: National Instruments, 11500 N Mopac, Building C


When: June 25, 2009, 5:00pm - 8:00pm

Topic: OWASP/ISSA/ISACA June Happy Hour Sponsored by VMWare!!!

Where: Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info


When: June 30, 2009, 3:30pm - 5:00pm

Topic: Web 2.0 Cryptology - A Study in Failure

Who: Travis

Travis's Bio: Travis H. is an jack-of-all-trades and independent security enthusiast. He has worked in the AFCERT looking for intrusions into Air Force computers, and handled application security and cryptography issues for Paypal. He is currently a programmer for Giganews in Austin. He is also the author of an online book on security called "Security Concepts", located here:

http://www.subspacefield.org/security/security_concepts.html

Where: National Instruments, 11500 N Mopac, Building C


When: May 26, 2009, 11:30am - 1:00pm

Topic: Clickjack This!

This speech will cover clickjacking - one of the most obscure client side hacking techniques. After the speech at the world OWASP conference was canceled due to Adobe asking for more time to construct a patch, Robert Hansen never ended up doing a complete speech on the topic. This presentation will cover some of the history of how this exploit came to be, how it works, and how it eventually turned into real world weaponized code.

Who: RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

Where: National Instruments, 11500 N Mopac, Building C


When: April 28, 2009, 11:30am - 1:00pm

Topic: Architecting Secure Web Systems

For this month's presentation, we diverge from the typical OWASP topics of writing secure code, testing to make sure your code is secure, and other code related topics and delve into the process of actually architecting a secure web application from the ground up. We'll start with some basic n-tier architecture (web vs app vs DB), throw in some firewall and DMZ concepts, then talk about server hardening with client firewalls (iptables), disabling services, and other techniques. Whether you're a code monkey wondering how the rest of the world works, a security guy trying to figure out what you're missing, or an auditor just trying to understand how the pieces fit together, this presentation is for you.

Who: Josh Sokol

Josh's Bio: Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog and recently presented at the TRISC 2009 Conference.

Where: National Instruments, 11500 N Mopac, Building C

Architecting a Secure Web System


When: April 23rd, 2009, 5:00pm - 7:00pm

Topic: OWASP April Happy Hour

Where: Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info


When: March 31, 2009, 11:30am - 1:00pm

Topic: PCI Compliance and Web App Security

The purpose of this presentation is to give an objective view of PCI Compliance including the good, the bad and the ugly.

Topics covered include:

     What do an ASV really do.
     What does a QSA really do.
     What does an ASV scan really pick up.
     Are you really secure when you are compliant.
     A product neutral look at how to get the most out of your compliance push.

Who: Fritz has more than five years of experience in offensive and defensive security practices and strategies. Since 2006 Fritz has been dedicated to managing PCI Data Security Standards (PCI DSS) for ControlScan as well as helping to develop products and services that are designed to make it easier for small merchants to complete and maintain compliance and long term security best practices. Fritz also authors regular security briefings on www.pcicomplianceguide.org <http://www.pcicomplianceguide.org/> and addresses the "Ask the Expert" questions on the site.

Fritz a member of the Application Security Group of the SPSP (The Society of Payment Security Professionals), a participant on the PCI Knowledge Base's Panel of Experts and is a Certified Information Systems Security Professional (CISSP).


Where: National Instruments, 11500 N Mopac, Building C


When: February 24, 2009, 11:30am - 1:00pm

Topic: Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data

In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:

1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;

2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and

3. Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?

Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.

Who: Quincy Jackson

Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.

Where: National Instruments, 11500 N Mopac, Building C


When: March 26th, 2009, 5:00pm - 7:00pm

Topic: OWASP March Happy Hour

Where: Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info


When: February 5th, 2009, 5:00pm - 7:00pm

Topic: OWASP Live CD Release Party

Where: Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info


When: January 27, 2009, 11:30am - 1:00pm


Topic: Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.

The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk:

1. The statelessness of the internet

2. How the naive attack works

3. A mitigation strategy against this naive attack

4. An combined CSRF/XSS attack that defeats this mitigation strategy

5. And finally suggestions for mitigation of the combined attack


Who: Ben L Broussard

I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Back to Top


2008


When: October 28, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic: Using Proxies to Secure Applications and More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

Where: National Instruments, 11500 N Mopac, Building C

Using Proxies to Secure Applications and More


When: September 30, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh's Bio: Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic: OWASP AppSec NYC Conference 2008

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703.


When: August 26th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.

Topic: OWASP Live CD 2008 - An OWASP Summer of Code Project

The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:

  1. easy for the users to keep the tools updated
  2. easy for the project lead to keep the tools updated
  3. easy to produce releases (I'm thinking quarterly releases)
  4. focused on just web application testing - not general Pen Testing

OWASP Project Page: http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project

Project Wiki: http://mtesauro.com/livecd/

Where: National Instruments, 11500 N Mopac, Building C


When: July 29th, 2008, 11:30am - 1:00pm

Who: Whurley and Mando

William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.

Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.


Topic: The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect

OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.


Where: Whole Foods, 550 Bowie Street, Austin, TX 78703.


When: June 24th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP SoC Live CD project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project

A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas Education Agency As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently responsible for quality reviews on design and code, software configuration management process, build engineering process, release engineering process, verification and validation throughout the life cycle and over all quality improvement across all areas of enterprise code manufacturing.


Topic: Securely Handling Sensitive Configuration Data.

One of the age old problems with web applications was keeping sensitive data available on a need to know basis. The classic case of this is database credentials. The application needs them to connect to the database but developers shouldn't have direct access to the DB - particularly the production DB. The presentation will discuss how we took on this specific problem, our determination that this was a specific case of a more general problem and how we solved that general problem. In our solution, sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs). We will then cover our implementation of that solution in a .Net 2.0 environment and discuss some options for J2EE environments. So far, we used our .Net solution successfully for database credentials and private encryption keys used in XML-DSig. Sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs).

Where: National Instruments, 11500 N Mopac, Building C


When: May 27th, 2008, 11:30am - 1:00pm

Who: Nathan Sportsman and Praveen Kalamegham, Web Services Security

Topic: Web Services Security The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703.


When: April 29th, 2008, 11:30am - 1:00pm

Who: Mano Paul

Bio Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive. He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.

What: Security – The Road Less Travelled

Abstract - What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side. Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.

Where: National Instruments, 11500 N Mopac, Building C


When: March 25th, 2008, 11:30am - 1:00pm

Who: Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Topic: Static Analysis Techniques for Testing Application Security

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703.


When:February 26th, 2008 - Michael Howard, Author of Writing Secure Code

Topic: Microsoft's SDL: A Deep Dive

In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.


January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703.

Back to Top


2007


When: December 4th, 2007, 11:30am - 1:00pm

Who: Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)

Topic: Business Logic Flaws

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.

This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.


November 27th, 2007 Austin OWASP chapter meeting - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)

Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.

Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. See directions to Whole Foods.


October 2007 Austin OWASP chapter meeting October 30th, 11:30am - 1:00pm at National Instruments "Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.


September 2007 Austin OWASP Chapter September 2007 - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin "Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence. "Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking. "Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.


August 2007 Austin OWASP chapter meeting - 8/28, 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.

OWASP Testing Framework


July 2007 Austin OWASP chapter meeting - 7/31, 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery


June 2007 Austin OWASP chapter meeting - 6/26, 11:30am - 1:00pm at National Instruments. James Wickett from Stokes Cigar Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.


May 2007 Austin OWASP chapter meeting - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.


April 2007 Austin OWASP chapter meeting - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)


March 2007 Austin OWASP chapter meeting - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.


January 2007 Austin Chapter Meeting - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.

Back to Top


2006


December Meeting - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!


November 2006 Austin Chapter Meeting - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.


October 2006 Austin Chapter Meeting - 10/31 - Boo!


September 2006 Austin Chapter Meeting - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White


August 2006 Austin Chapter Meeting - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See directions to National Instruments. Hint: It is on your left on Mopac if you were heading up to Fry's from Austin.


Austin OWASP chapter kickoff meeting - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)

Back to Top

Our Chapter Leadership

Chapter Leadership Board Member Role Responsibilities Person(s)
Chapter Leader The central point of contact for the Chapter and responsible to the OWASP Board. Serves as Chapter Leader and Chapter board chair. Kyle Smith
Sponsor Coordinator Serves as the primary liaison between the Chapter and all sponsors, and solicits sponsors for the Chapter meetings, happy hours, LASCON, and other events. Tiana Chandler
Speaker Coordinator Seeks and schedules speakers for monthly Chapter meetings, LASCON, and other events. Kate Brew
Education Coordinator Coordinates all of the Chapter-sponsored educational offerings, to include the weekly Study Group and LASCON training. Matt Pardo
PR/Marketing Coordinator Provides marketing of LASCON and other Chapter events.

Ryan Murphy

Membership and Project Coordinator Coordinates activities to grow individual and corporate memberships. Acts as project manager for events, such as LASCON, tracking assigned tasks and reporting progress. Paul "griff' Griffiths
Events Committee All of the Chapter Leadership Coordinators are responsible for coordinating aspects of events, including the annual Lonestar Application Security Conference (LASCON). The Chapter Leader acts as the committee chair. Chapter Leadership Coordinators
Finance The Chapter Leader is designated as primary person responsible for Chapter budget and Chapter expense approvals.

The previous Chapter Leader is designated as secondary approver, who also will approve any expenses submitted by the Chapter Leader.

  • Kyle Smith - Primary
  • Tiana Chandler - Secondary
Advisory Board Members Made up of previous Chapter leaders who provide mentoring, coaching, and assistance to the board and contribute to the Chapter’s success.
  • Tiana Chandler
  • Kyle Smith
  • David Hughes
  • James Wickett
  • Josh Sokol

Sponsorship Opportunities with our Chapter

The Austin OWASP Chapter can offer your company several sponsorship opportunities. If you are interested in taking advantage of any of these opportunities, please contact Tiana Chandler, the Austin OWASP Chapter President.

Austin Security Professionals Happy Hour Sponsorship

The Austin OWASP Chapter organizes a monthly Austin Security Professionals Happy Hour event along with the Capitol of Texas ISSA Chapter. This event has historically drawn around 40 of Austin's finest security professionals for networking and more. Your sponsorship of this event includes appetizers and drinks for the attendees. Feel free to pass out business cards and network just like you would anywhere else. You'll find no better opportunity to get your name in front of 40+ security professionals for around $750 - $1000.

OWASP Meeting Lunch Sponsorship

Our monthly Austin OWASP meetings are held during a person's typical lunch hours from 11:30 AM to 1:00 PM. For your sponsorship of around $750 we can arrange food and drinks for up to 60 attendees. In exchange for your sponsorship, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the lunch sponsor in all e-mail communications about the meeting.

OWASP Meeting Presenter Sponsorship

Although OWASP is a non-profit organization, we strive to provide our members with the best presenters we possibly can. While the Austin area has tons of security talent, sometimes it's worthwhile to reach beyond our borders to pull in more awesome presenters. In exchange for covering travel expenses for these presenters, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the presenter sponsor in all e-mail communications about the meeting.

Lonestar Application Security Conference (LASCON) Sponsorship

The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.

Being a non-profit organization, we rely mostly on sponsorships to help us provide the funding to make LASCON successful.

Become a LASCON Sponsor

How to add a new Austin article

You can follow the instructions to make a new Austin article. Please use the appropriate structure and follow the Tutorial. Be sure to paste the following at the end of your article to make it show up in the Austin category:

[[Category:Austin]]