This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cincinnati"
(→August 2019 Meeting) (Tag: Visual edit) |
(Adding details and slides) |
||
Line 20: | Line 20: | ||
== August 2019 Meeting == | == August 2019 Meeting == | ||
− | === Server Side Request Forgery (SSRF) | + | === Server Side Request Forgery (SSRF) Attack Scenario and Defense Options === |
'''When''': August 28th, 2019. 11:30 AM | '''When''': August 28th, 2019. 11:30 AM | ||
'''Where''': Paycor, 4811 Montgomery Road, Norwood, Ohio 45212 | '''Where''': Paycor, 4811 Montgomery Road, Norwood, Ohio 45212 | ||
− | '''Discussion Abstract''': | + | '''Discussion Abstract''': SSRF - Attack scenario and Defense options A relatively new attack in today's threat landscape is the Server Side Request Forgery, or SSRF. Theorized by many to have been the initial attack vector in the recent Capital One breach, this attack could provide external "command proxy" type access to an interested threat actor in a difficult to mitigate fashion. During this session, CBTS will talk about the typical flow of an SSRF attack, execute a demo attack against a target, and discuss possible defense scenarios that can be used to detect and/or protect an organization from this potential exposure. |
− | '''Speaker Biography''': | + | '''Speaker Biography''': |
+ | |||
+ | Nate Fair - Currently an information security consultant for CBTS Security Services Team. Our team performs security services for 5-man shops and Fortune 5's. Services performed include network and wireless penetration testing, vulnerability assessments, security architecture and program reviews, web application testing, and physical security assessments. Nate also teaches penetration testing at the University of Cincinnati and is part of the team behind BSides Cincinnati, helping create it's CTF competition. | ||
+ | |||
+ | Ryan Hamrick - While gaining experience in a number of business verticals including manufacturing, finance/banking, and technology consultancy, Ryan Hamrick has performed at a high level in the security industry for the past 11 years. In an IT career spanning 20+ years, Ryan has gained expertise in wide variety of areas spanning software engineering, web application design and deployment, desktop support, security incident response, and security engineering. He is currently applying the knowledge gained through these experiences in order to provide expert level security consulting services for CBTS customers focusing on security policy and procedure design, holistic security architecture review, web application assessments, external and internal penetration testing and vulnerability assessments, social engineering assessments, and cloud security assessments. | ||
+ | |||
+ | '''Link to Presentation''': https://www.owasp.org/index.php/File:SSRF.pdf | ||
== June 2019 Meeting == | == June 2019 Meeting == |
Revision as of 15:34, 5 September 2019
OWASP Cincinnati
Welcome to the Cincinnati chapter homepage. The chapter leader is Adam Leisring.
Participation
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Sponsorship/Membership
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
Welcome to the Cincinnati U.S.A. OWASP Local Chapter. The chapter lead is Adam Leisring. The OWASP chapter meetings are free and open to anyone interested in information security, risk management, data protection and application security. Chapter meetings are usually held monthly. If you have never attended a meeting before and you are interested to attend one in the future, please join the mailing list. The mailing list is also used for sharing application security knowledge among the local community members. You can also review the email archives to see what local folks have been talking about.
The board currently includes the following members:
Chapter Leader: Adam Leisring
Chapter Board Member: Kristen Smith
Chapter Board Member: Lee Epling
If you are interested in presenting at one of the chapter meetings please send an abstract and bio to the chapter chair (Adam Leisring). Prior to participating, please review the Chapter Rules.
August 2019 Meeting
Server Side Request Forgery (SSRF) Attack Scenario and Defense Options
When: August 28th, 2019. 11:30 AM
Where: Paycor, 4811 Montgomery Road, Norwood, Ohio 45212
Discussion Abstract: SSRF - Attack scenario and Defense options A relatively new attack in today's threat landscape is the Server Side Request Forgery, or SSRF. Theorized by many to have been the initial attack vector in the recent Capital One breach, this attack could provide external "command proxy" type access to an interested threat actor in a difficult to mitigate fashion. During this session, CBTS will talk about the typical flow of an SSRF attack, execute a demo attack against a target, and discuss possible defense scenarios that can be used to detect and/or protect an organization from this potential exposure.
Speaker Biography:
Nate Fair - Currently an information security consultant for CBTS Security Services Team. Our team performs security services for 5-man shops and Fortune 5's. Services performed include network and wireless penetration testing, vulnerability assessments, security architecture and program reviews, web application testing, and physical security assessments. Nate also teaches penetration testing at the University of Cincinnati and is part of the team behind BSides Cincinnati, helping create it's CTF competition.
Ryan Hamrick - While gaining experience in a number of business verticals including manufacturing, finance/banking, and technology consultancy, Ryan Hamrick has performed at a high level in the security industry for the past 11 years. In an IT career spanning 20+ years, Ryan has gained expertise in wide variety of areas spanning software engineering, web application design and deployment, desktop support, security incident response, and security engineering. He is currently applying the knowledge gained through these experiences in order to provide expert level security consulting services for CBTS customers focusing on security policy and procedure design, holistic security architecture review, web application assessments, external and internal penetration testing and vulnerability assessments, social engineering assessments, and cloud security assessments.
Link to Presentation: https://www.owasp.org/index.php/File:SSRF.pdf
June 2019 Meeting
Managing Open Source Library Risk
Discussion Abstract: The rate at which modern applications are growing is beyond comprehension. To aid faster development, a major chunk of the code being developed comprises of open source components, making it difficult to be managed by developers/development teams alone.
The use of these components can inadvertently bring in security and compliance risks to the product and company. This presentation will focus on the importance of managing the open source components and risks associated with them.
Speaker Biography: Dhanashree is an Application security Analyst with Paycor Inc. Apart from Pentesting Web and mobile applications, her focus areas include working with development teams to help build security in the SDLC. She has formerly worked as a Security consultant and Team lead with Security services providing companies in Telecom and Healthcare domains.
Presentation: https://www.owasp.org/images/0/0c/Managing_Open_Source_Library_Risks.pdf
March 2019 Meeting
Application Security in a DevOps World
- When: March, 13th - 11:30 PM to 12:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/cincy-owasp-mach-meeting-application-security-in-a-devops-world-tickets-56804071507
Hello OWASP Cincinnati! The spring thaw is nearly here, and in efforts to expedite the thaw let's discuss the very hot topic of AppSec in DevOps. Join us for an insightful presentation on how security requirements can still be met in this brave new DevOps world in a discussion led by Ed Arnold, Security Solution Architect with Qualys.
Agenda:
- Speaker and topic introduction
- Presentation - "Application Security in a DevOps World" by Ed Arnold
- Roundtable Discussion Opportunity
- Housekeeping and Meeting Closure
Discussion Abstract:
Jenkins, Travis CI, Bamboo, Docker, AWS, API, Agile, CI/CD are the new mainstream vocabulary of Developers who want more control over their processes, and businesses that increasingly prioritize time-to-market. After working for years to get into developers' workflows, how can security practitioners keep pace with these "new" terms and the technology behind them? This presentation will discuss the challenges that may cause some security teams to give up in this new paradigm, and solutions to help ensure they remain in the game.
Biography:
Ed Arnold is a Security Solution Architect with Qualys, focusing on web application scanning and malware detection. He formerly held positions of Senior Security Engineer, Technical Architect and Principal Security Consultant over a twelve-year security career. Ed is focused on automating security testing and enabling developers to proactively address security issues.
Presentation: Coming Soon
January 2019 Meeting
Where Does It Hurt? - The Anatomy of a Data Breach
- When: January 24, 2019 11:30 PM to 1:00 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/cincinnati-owasp-january-meeting-tickets-54350858882
Happy 2019 OWASP Cincinnati! Let's kick off the new year with a presentation pertaining to the anatomy of a data breach with specific focus on state-level notification requirements as well as broader trends in the realm of requirements in data security and privacy law. Pizza will be provided.
Agenda:
- Speaker Introduction, Topic Overview, and OWASP Relevancy
- Presentation - "Where Does It Hurt? - The Anatomy of a Data Breach" by Zach Briggs
- Roundtable Discussion Opportunity
- Housekeeping and Meeting Closure
Discussion Abstract:
Awareness is not understanding. In the age of Google and WebMD, people are aware of a lot, but they don’t understand nearly as much. Case in point - all that causes sickness is not cancer, not all who lose data have had a breach.
My goal in this presentation is to challenge your understanding of what makes up a data breach by explaining its full anatomy so that you can diagnose where it hurts and how to fix it or if you are even sick at all. All while sharing some of life’s best medicine (laughter) along the way.
Biography:
Zach Briggs is Corporate Compliance Counsel at Paycor, a human capital management SaaS company based in Cincinnati. He has a management degree from Purdue University and his Juris Doctor from Northern Kentucky University. Zach enjoys seeing how things work and making them work better. He is responsible for driving compliance initiatives across Paycor’s entire organization, but has a special place in his heart for his friends in InfoSec.
https://www.linkedin.com/in/zacharybriggs/
Presentation: OWASP - Anatomy of a Data Breach
Meeting Sponsor: Paycor
November 2018 Meeting
AppSec Program: Real World Examples
- When: November 13, 2018 12:00 PM to 1:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-cincinnati-november-2018-registration-51705278881
Who: Bill Young - Cincinnati Childrens Hospital
Bio: Bill Young is Senior Security Analyst at Cincinnati Children’s Hospital. He’s held various roles over the course of his 15-year IT career including desktop support technician, system administrator, virtual desktop administrator and web application developer. He currently works in security, building an application security program and doing web application penetration testing. Outside of work he is married and has 5 children. He’s a proud member of the Knights of Columbus catholic charity organization and a big sports fan.
Abstract: Industry report, such as the Verizon Data Breach Investigation Report, consistently rank web applications one of the top attack patterns that result in data breaches. This is increasingly reinforced as web application breaches from Yahoo, Equifax, Facebook and Google+ have all made the main stream media over the last two years.
The de facto security controls of the past decade (IPS/IDS, network firewalls, web application firewalls) offer limited mitigation for on-premise applications and even less for cloud-based applications. To properly protect applications, the responsibility for securing them must be shared amongst the security, development and operations teams and security must be integrated in all phases of the development lifecycle.
In this talk, I will share our experience creating and expanding an application security program that aims to do just that. I will share the approaches we took (good, bad and ugly) to creating our long-term vision and goals, measuring our progress, engaging the development, operations and management teams, and creating security testing processes.
<b>Presentation: A copy of the presentation can be found here
Meeting Sponsor: TekSystems
October 2018 Meeting
SecureWorld Expo Cincinnati Meetup
- When: Octover 17, 2018 8:00 AM to 4:30 PM (ET)
- Location
Sharonville Convention Center 11355 Chester Rd Cincinnati, OH 45246
- Register at https://secureworld.ungerboeck.com/prod/emc00/PublicSignIn.aspx?&SessionID=fa7fh5fg2ej8fb5fg2&Lang=
Join us at SecureWorld Expo Cincinnati 2018! We will have a booth set up in the exhibation hall and will be talking all things security especially AppSec! Additionally Andy Willingham will be moderating a panel discussion on Phishing and Social Engineering. Come and learn some new tricks and freshen up on the old ones. We will have a meet up at the end of the event to discuss our November meeting and looking forward to 2019.
June 2018 Meeting
OWASP Top 10 2017 Release
- <b>When: June 12, 2018 12:00 PM to 1:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-cincinnati-june-2018-tickets-46674750435
Who: Andy Willingham - OWASP
Abstract: 2017 saw the release of a new version of the OWASP Top 10 and there are lots of changes that we need to be aware of. We will look at the current Top 10 and talk about what’s new, what’s changed, and why we need to be aware.
Bio: Andy is the OWASP CIncinnati Chapter Lead and works for a local Health Care Provider helping them secure their environment and provide world class healthcare to the region. He has been in the field of technology for over 20 years and has been in information security over 15 years.
<b>Presentation: Coming Soon!
Meeting Sponsor: Signal Sciences
February 2018 Meeting
Credential Stuffing
- When: Feb 13, 2018 12:00 PM to 1:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-cincinnati-february-2018-tickets-42786752328
Who: Adam Leisring - Paycor
Abstract: Just last year, over three billion credentials were reported stolen from various sources in both small and large amounts. Credential theft and “stuffing” is a real and present threat to all organizations and the risk of account takeover, particularly for privileged accounts, is substantial. In this presentation, we’ll take a journey through the various stages of credential stuffing from theft, to sale, to actual stuffing on sites. Next, we’ll review some tested controls that you can put in place to either detect or prevent this threat against your enterprise.
Bio: Adam is the Director of Information Security for Paycor, one of the largest independently held Human Capital Management companies in America. He oversees Information Security for Paycor’s 1400 associates as well as Paycor’s 30,000 clients of their award-winning Software as a Service product. In past positions, he has served in leadership roles including Technical Services and Operations, Enterprise Architecture and Software Engineering. Adam holds CISSP and CISM certifications as well as a Master’s Certificate in Corporate Information Security. Adam is a volunteer in ISC(2)’s Safe and Secure Online program which spreads security awareness to children at local schools.
November 2017 Meeting
GDPR: What is it and Why do I care?
When: Nov 4, 2017 12:00 PM to 1:30 PM (ET)
- <b>Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-cincinnati-april-2017-tickets-33729747583
- Who: Rohit Sethi - Security Compass
- Abstract: This is an open discussion around GDPR to help all of us understand it and learn some things that we need to focus on as we get ready to comply.
October 2017 Events
NKU CyberSecurity Symposium
- When: Oct 13, 2017 8:30 AM to 4:00 PM (ET)
- Location
Northern Kentucky University Student Union Center
- Details: Join us at the 10th Annual CyberSecurity Symposium. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say "Hi". Additionally Andy Willingham will be speaking on SecDevOps.
SecureWorld Expo Cincinnati
- When: Oct 24, 2017 8:30 AM to 4:00 PM (ET)
- Location
Sharonville Convention Center 11355 Chester Rd Sharonville, Oh 45246
- Details: Join us at the 3rd Annual SecureWorld Expo. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say "Hi". Additionally Andy Willingham will be speaking on Making the most of your relationship with your Audit teams.
May 2017 Event
Interface Cincinnati Conference
- When: May 24, 2017 8:30 AM to 4:45 PM (ET)
- Location
Duke Energy Convention Center Junior Ballroom 525 Elm St, Cincinnati, OH 45202
- Register by RSVP here: http://interfacetour.com/register/
- Details: Join us as we welcome the Interface Tour to Cincinnati. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say "Hi". We will also be participating in a panel discussion or two. Keynote Speaker will be Brian Keys VP of Technology for the Cincinnati Reds. You can earn 6.5 continuing education credits and there is NO COST to attend!
April 2017 Meeting
Application Security Management- How Billion Dollar Enterprises Manage Application Security at Scale
- When: April 27, 2017 12:00 PM to 1:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-cincinnati-april-2017-tickets-33729747583
- Who: Rohit Sethi - Security Compass
- Abstract: Security Compass recently completed a research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.
- Speaker Bio: Rohit Sethi is a specialist in software security requirements. He has helped improve software security at some of the world's most security-sensitive organizations in financial services, software, e-commerce, healthcare, telecom and other industries. Rohit has built and taught courses on Secure J2EE development. He also created the OWASP Design Patterns Security Analysis project. In his current role, Rohit manages the SD Elements team at Security Compass . Previously, Rohit managed the consulting practice at Security Compass. Mr. Sethi has appeared as a security expert on television outlets as such as Bloomberg, CNBC, FoxNews, CBC, CTV and BNN. Rohit has spoken at numerous industry conferences,such as FS-ISAC, RSA, OWASP, Secure Development Conference, Shmoocon, CSI National, Sec Tor, CFI-CIRT, and many others. He has been quoted and/or written articles on several websites such as CNN.com, the Huffington Post, InfoQ, and Dr. Dobb's Journal.
Presentation:<b> A copy of the presentation can be found here
<b>Meeting Sponsor:![]()
March 2017 Meeting
OWASP 2017
- When: March 28, 2017 12:00 PM to 1:30 PM (ET)
- Location
Paycor 4811 Montgomery Rd Cincinnati, OH 45212
- Register by RSVP here: https://www.eventbrite.com/e/owasp-march-2017-tickets-33054028489
- Who: Allison Shubert and Andy Willingham
- Abstract: Join us for our 2017 Kick-off meeting. We will discuss the recent RSA Conference, SecDevOps, and enjoy a chance to network with others while eating Pizza. What could be better?
- Speaker Bio:
- Presentation: A copy of the presentation can be found here