This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Bay Area"

From OWASP
Jump to: navigation, search
(Local News)
(OWASP Chapter Meeting Notice for 1/25)
Line 5: Line 5:
 
'''!!!PLEASE RSVP TO Anastasia Stamos (mailto:anastasia@isecpartners.com) AS THERE IS LIMITED SPACE!!!'''
 
'''!!!PLEASE RSVP TO Anastasia Stamos (mailto:anastasia@isecpartners.com) AS THERE IS LIMITED SPACE!!!'''
  
On September 21st, 2006 we will hold our first formal meeting. Time and
+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
coordinates for the meeting are below.
 
 
WHAT: The re-inaugural San Francisco OWASP Chapter Meeting.
 
 
 
WHEN: September 21st, 2006
 
  
        5:30-6:00    Social- Food and Drinks
 
        6:00-6:15    Chapter Announcements
 
        6:15-7:15    Presentation I- Alex Stamos
 
        7:15-7:30    Q and A/Stretch Break
 
        7:30-8:30    Presentation II- Jeremiah Grossman
 
        8:30-8:45    Q and A/Wrap Up
 
  
WHERE: iSEC Partners offices located @ 115 Sansome Street Suite 1005 (10th Floor),
+
WHAT: San Francisco OWASP Chapter Meeting and Mixer
San Francisco, CA (http://www.isecpartners.com)
 
  
WHY: To network, socialize and learn more about Web Application Security
+
WHEN: Thursday, January 25th, 2007
 +
     
 +
6:00-6:30  Social (Food and Drinks) and Chapter Announcements
  
WHO: Brian Christian the Chapter president will give chapter details and
+
6:30-8:00  Presentation I "XML Digital Signature and Encryption: Use and Abuse":  Brad Hill, iSEC Partners
Alex Stamos founding partner of iSEC Partners and Jeremiah Grossman
 
founder and Chief Technology Officer of WhiteHat Security will both
 
speak about AJAX Security and Javascript Malware. These are the same
 
presentations that they gave in Las Vegas at BlackHat so if you missed
 
them there, here's your second chance! Refreshments and horderves will
 
be provided. Parking, of course will NOT be validated. See below for the
 
speakers details.
 
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
8:00-8:15  Q and A
  
Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0
+
8:15-9:00  Presentation II: Patrick Stach, Stach and Liu
Alex Stamos, Principal Partner, iSEC Partners
 
  
The Internet industry is currently riding a new wave of investor and
+
WHERE: iSEC Partners offices located @ 115 Sansome Street Suite 1005 (10th Floor), San Francisco, CA (http://www.isecpartners.com)
consumer excitement, much of which is built upon the promise of "Web
+
We recommend arriving by public transit as parking is extremely limited.
2.0" technologies giving us faster, more exciting, and more useful web
 
applications. One of the fundamentals of "Web 2.0" is known as
 
Asynchronous JavaScript and XML (AJAX), which is an amalgam of
 
techniques developers can use to give their applications the level of
 
interactivity of client-side software with the platform-independence of
 
JavaScript.
 
  
Unfortunately, there is a dark side to this new technology that has not
+
WHY: To network, socialize and learn more about Web Application Security
been properly explored. The tighter integration of client and server
 
code, as well as the invention of much richer downstream protocols that
 
are parsed by the web browser has created new attacks as well as made
 
classic web application attacks more difficult to prevent.
 
  
We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter
+
WHO: Brian Christian, Chapter President, will give chapter details and Brad Hill of iSEC Partners will deliver the presentation "XML Digital Signature and Encryption: Use and Abuse".
tampering and object serialization attacks in AJAX applications, and
 
will publicly release an AJAX-based XSRF attack framework. We will also
 
be releasing a security analysis of several popular AJAX frameworks,
 
including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include
 
live demos against vulnerable web applications, and will be appropriate
 
for attendees with a basic understanding of HTML and JavaScript.
 
  
ABOUT THE SPEAKER:
 
  
Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic
+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
digital security organization. Alex is an experienced security engineer
 
and consultant specializing in application security and securing large
 
infrastructures, and has taught multiple classes in network and
 
application security. He is a leading researcher in the field of web
 
application and web services security and has been a featured speaker at
 
top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan,
 
Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University
 
of California, Berkeley.
 
  
-----------------------------------------------------------------------
+
"XML Digital Signature and Encryption: Use and Abuse"
  
Hacking Intranet Websites from the Outside "JavaScript malware just got
+
Abstract:
a lot more dangerous"
+
The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world.  This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications.  Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.
Jeremiah Grossman, Founder and CTO of WhiteHat Security, Inc.
 
  
Imagine you're visiting a popular website and invisible JavaScript
+
Security Consultant - Brad Hill
exploit code steals your cookies, captures your keystrokes, and monitors
 
every web page that you visit. Then, without your knowledge or consent,
 
your web browser is silently hijacked to transfer out bank funds, hack
 
other websites, or post derogatory comments in a public forum. No
 
traces, no tracks, no warning sirens. In 2005's "Phishing with
 
Superbait" presentation we demonstrated that all these things were in
 
fact possible using nothing more than some clever JavaScript. And as bad
 
as things are already, further web application security research is
 
revealing that outsiders can also use these hijacked browsers to exploit
 
intranet websites.
 
  
Most of us assume while surfing the Web that we are protected by
+
Brad Hill is a Security Consultant with iSEC Partners.  Brad Hill brings
firewalls and isolated through private NAT'ed IP addresses. We assume
+
to iSEC a decade-plus background working with Internet technologies,
the soft security of intranet websites and that the Web-based interfaces
+
including serving as the lead developer of Web applications and
of routers, firewalls, printers, IP phones, payroll systems, etc. even
+
frameworks for one of the premier private label recordkeeping and
if left unpatched, remain safe inside the protected zone. We believe
+
management companies in the financial services industry, where his
nothing is capable of directly connecting in from the outside world.
+
responsibilities also included security training, policy development and
Right? Well, not quite.
+
compliance.  With iSEC he has performed penetration testing and design
 +
review for a wide spectrum of products and technologies, most recently
 +
participating in the Final Security Review of Microsoft Windows Vista.
 +
Brad achieved the Certified Information Systems Security Professional
 +
(CISSP) credential in 2004.
  
Web browsers can be completely controlled by any web page, enabling them
+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
to become launching points to attack internal network resources. The web
 
browser of every user on an enterprise network becomes a stepping stone
 
for intruders. Now, imagine visiting a web page that contains JavaScript
 
malware that automatically reconfigures your company's routers or
 
firewalls, from the inside, opening the internal network up to the whole
 
world. Even worse, common Cross-Site Scripting vulnerabilities make it
 
possible for these attacks to be launched from just about any website we
 
visit and especially those we trust. The age of web application security
 
malware has begun and it's critical that understand what it is and how
 
to defend against it.
 
  
During this presentation we'll demonstrate a wide variety of
+
Presentation II
cutting-edge web application security attack techniques and describe
 
best practices for securing websites and users against these threats.
 
  
You'll see:
+
Abstract:
 +
This talk aims to outline a few commonly overlooked cryptographic vulnerabilities in web applications.  The problems presented will range from attacks against authentication various authentication schemes to improper certificate generation.
  
Port scanning and attacking intranet devices using JavaScript
+
Director of Research and Development- Patrick Stach
Blind web server fingerprinting using unique URLs
 
Discovery NAT'ed IP addresses with Java Applets
 
Stealing web browser history with Cascading Style Sheets
 
  
Best-practice defense measures for securing websites
+
Patrick Stach is Director of Research and Development at Stach & Liu, a firm providing advanced IT security consulting to the Fortune 500 and multi-national financial institutions. Before founding Stach & Liu, Patrick aided in the development of multiple industry leading security scanning engines. In addition to providing security consulting services to Mitsui Zaibatsu, he has led the network security teams for a number of major hosting providers.
Essential habits for safe web surfing
 
 
   
 
   
ABOUT THE SPEAKER:
+
Patrick has lectured on cryptanalysis at Kyoto University, taught as adjunct faculty at Network Associates' Japan Security Academy, and performs government-funded cryptanalysis. He is a developer of the Metasploit Framework and has presented at DefCon, Interz0ne, AtlantaCon, ToorCon, and PhreakNIC.
 
 
Jeremiah Grossman is the founder and Chief Technology Officer of
 
WhiteHat Security (http://www.whitehatsec.com), where he is responsible
 
for web application security R&D and industry evangelism. As an
 
well-known and internationally recognized security expert, Mr. Grossman
 
is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and
 
many other industry events. Mr. Grossman's research, writing, and
 
interviews have been published in dozens of publications including USA
 
Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and
 
BetaNews. Mr. Grossman is also a founder of the Web Application Security
 
Consortium (WASC), as well as a contributing member of the Center for
 
Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr.
 
Grossman was an information security officer at Yahoo!, responsible for
 
performing security reviews on the company's hundreds of websites.
 

Revision as of 18:43, 18 January 2007

OWASP San Francisco

Welcome to the San Francisco chapter homepage. The chapter leader is Brian Christian


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Local News

!!!PLEASE RSVP TO Anastasia Stamos (mailto:anastasia@isecpartners.com) AS THERE IS LIMITED SPACE!!!

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


WHAT: San Francisco OWASP Chapter Meeting and Mixer

WHEN: Thursday, January 25th, 2007

6:00-6:30 Social (Food and Drinks) and Chapter Announcements

6:30-8:00 Presentation I "XML Digital Signature and Encryption: Use and Abuse": Brad Hill, iSEC Partners

8:00-8:15 Q and A

8:15-9:00 Presentation II: Patrick Stach, Stach and Liu

WHERE: iSEC Partners offices located @ 115 Sansome Street Suite 1005 (10th Floor), San Francisco, CA (http://www.isecpartners.com) We recommend arriving by public transit as parking is extremely limited.

WHY: To network, socialize and learn more about Web Application Security

WHO: Brian Christian, Chapter President, will give chapter details and Brad Hill of iSEC Partners will deliver the presentation "XML Digital Signature and Encryption: Use and Abuse".


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"XML Digital Signature and Encryption: Use and Abuse"

Abstract: The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Security Consultant - Brad Hill

Brad Hill is a Security Consultant with iSEC Partners. Brad Hill brings to iSEC a decade-plus background working with Internet technologies, including serving as the lead developer of Web applications and frameworks for one of the premier private label recordkeeping and management companies in the financial services industry, where his responsibilities also included security training, policy development and compliance. With iSEC he has performed penetration testing and design review for a wide spectrum of products and technologies, most recently participating in the Final Security Review of Microsoft Windows Vista. Brad achieved the Certified Information Systems Security Professional (CISSP) credential in 2004.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Presentation II

Abstract: This talk aims to outline a few commonly overlooked cryptographic vulnerabilities in web applications. The problems presented will range from attacks against authentication various authentication schemes to improper certificate generation.

Director of Research and Development- Patrick Stach

Patrick Stach is Director of Research and Development at Stach & Liu, a firm providing advanced IT security consulting to the Fortune 500 and multi-national financial institutions. Before founding Stach & Liu, Patrick aided in the development of multiple industry leading security scanning engines. In addition to providing security consulting services to Mitsui Zaibatsu, he has led the network security teams for a number of major hosting providers.

Patrick has lectured on cryptanalysis at Kyoto University, taught as adjunct faculty at Network Associates' Japan Security Academy, and performs government-funded cryptanalysis. He is a developer of the Metasploit Framework and has presented at DefCon, Interz0ne, AtlantaCon, ToorCon, and PhreakNIC.

Retrieved from "https://wiki.owasp.org/index.php?title=Bay_Area&oldid=15575"