|
|
| (113 intermediate revisions by 13 users not shown) |
| Line 1: |
Line 1: |
| − | == Next Chapter Meeting: February 2, 2010 *New Location* == | + | |
| | + | |meetupurl=https://www.meetup.com/OWASP-Chicago-Chapter/|region=United States}} |
| | | | |
| − | The next quarterly Chicago OWASP Chapter meeting will be February 2nd, 2010 in the Monadnock Building conference room (53 W Jackson, 8th floor) at 6pm. Please RSVP to [email protected] by February 1st so we can enter your name into the building's security system. | + | Everyone is welcome to join us at our chapter meetings. |
| | | | |
| − | ==Agenda==
| + | [[Category:OWASP Chapter]] |
| − | | |
| − | 6:00 - Refreshments and Welcome
| |
| − | | |
| − | 6:15 - '''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''' - Erik Peterson, Veracode
| |
| − | | |
| − | 7:15 - '''Open Software Assurance Maturity Model (OpenSAMM)''' - Pravir Chandra, Fortify
| |
| − | | |
| − | | |
| − | == General Information ==
| |
| | | | |
| − | Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.
| + | If you're interested in speaking, sponsoring or hosting an event, [mailto:info@owasp-chicago.org please contact us]. |
| | + | <br/> |
| | + | = General Information = |
| | | | |
| − | Make sure you sign up for the mailing list to receive meeting announcements.
| + | Anyone in our area interested in application security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics. |
| | | | |
| − | We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago
| + | Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]<br> |
| | + | LinkedIn: https://www.linkedin.com/groups/4049846<br/> |
| | + | Chat with us on SLACK. https://owasp.slack.com/ |
| | + | <br/> |
| | + | <br/> |
| | | | |
| − | If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@ matasano.com Mike Tracy] or [mailto:[email protected] Jason Witty. ] | + | Interesting in being a sponsor or presenting at an event? Contact us at info@owasp-chicago.org |
| | | | |
| | | | |
| | | | |
| − | ==Presentation abstracts==
| |
| − |
| |
| − | ''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''
| |
| − |
| |
| − | ABSTRACT
| |
| − |
| |
| − | With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
| |
| − | Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
| |
| − | In this session we will cover;
| |
| − | * Prevalence of backdoors and malicious code in third party attacks
| |
| − | * Definitions and classifications of backdoors and their impact on your applications
| |
| − | * Methods to identify, track and remediate these vulnerabilities
| |
| − |
| |
| − | SPEAKER BIO
| |
| − |
| |
| − | Erik Peterson from Veracode will be presenting.
| |
| − |
| |
| − |
| |
| − | ''Open Software Assurance Maturity Model (OpenSAMM)''
| |
| − |
| |
| − | ABSTRACT
| |
| − |
| |
| − | The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.
| |
| − |
| |
| − |
| |
| − | SPEAKER BIO
| |
| − |
| |
| − | Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.
| |
| − |
| |
| − | == Presentation Archives ==
| |
| − |
| |
| − | Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]
| |
| − |
| |
| − | Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]
| |
| − |
| |
| − | Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]
| |
| − |
| |
| − | Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here]<BR>
| |
| − |
| |
| − | Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here]<BR>
| |
| − |
| |
| − |
| |
| − | '''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
| |
| − | Thomas Ptacek, Matasano Security
| |
| − |
| |
| − | Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.
| |
| − |
| |
| − | In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:
| |
| − |
| |
| − | - Locating and Decompiling Java and .NET Code
| |
| − | - Structure and Interpretation of Binary Protocols in HTTP
| |
| − | - Protocol Debugging Tools
| |
| − | - Web App Crypto Tricks
| |
| − |
| |
| − | '''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
| |
| − | Cory Scott, ABN AMRO
| |
| − |
| |
| − | A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.
| |
| − |
| |
| − |
| |
| − |
| |
| − | <paypal>Chicago</paypal>
| |
| − |
| |
| − | ==== Chicago OWASP Chapter Leaders ====
| |
| − | | |
| − |
| |
| − | | |
| | __NOTOC__ | | __NOTOC__ |
| − | <headertabs/> | + | <headertabs /> |
| − | [[Category:OWASP Chapter]]
| |
| − | [[Category:Illinois]]
| |
Anyone in our area interested in application security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
