This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Washington DC"

From OWASP
Jump to: navigation, search
m (Participation)
Line 1: Line 1:
==  Welcome to the OWASP Washington, DC-Maryland Local Chapter ==
+
==  Welcome to the OWASP DC Local Chapter ==
  
 
The original DC Chapter was founded in June 2004 by [mailto:[email protected] Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters with common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.
 
The original DC Chapter was founded in June 2004 by [mailto:[email protected] Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters with common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.
Line 31: Line 31:
  
 
== Local News ==
 
== Local News ==
 +
 +
'''December Meeting Debrief'''
 +
 +
I'd like to take this opportunity to once again thank Kevin for coming
 +
out to talk to us at the meeting Wednesday.  I thought his
 +
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly
 +
demonstrated some of the great up and coming tools that are available
 +
to the community.  As promised, I uploaded the PDF of the presentation
 +
to the Wiki, but the slides don't do the commentary justice.  It can
 +
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].
 +
 +
We also took care of some housekeeping stuff:
 +
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library.  Everyone remember to thank Amy for offering up GW's meeting spaces to us.
 +
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09.  More details will come out as we firm up dates/speakers/locations and calls for volunteers!
 +
* Rex talked for a few minutes about the Portugal Summit.  The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]
 +
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].
 +
 +
To those who attended the meeting on Wednesday, thanks for coming out,
 +
we had a great turnout and I hope to have even more attendees next
 +
time.  For those who were unable to attend, I hope to see you all at
 +
our next meeting.
 +
  
 
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
 
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
Line 67: Line 89:
  
 
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
 
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
 
 
'''August 20th 6:30pm OWASP Meeting, Washington DC'''
 
 
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 
 
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 
 
This month, our agenda is as follows:
 
 
* Introduction to OWASP, Rex Booth
 
* The Big Picture: Web Risks and Assessments Beyond Scanning, Matt Fisher
 
* Security Conference Review: Black Hat & DefCon (group discussion)
 
* Open floor
 
 
Matt's talk will focus on the need to risk and threat model software and pick appropriate peoples, tools, and testing techniques to test against the threat model. In today's resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.
 
 
 
'''July 23rd 6:30pm OWASP Meeting, Washington DC (Alexandria)'''
 
 
This month we will be holding our meeting at the Alexandria offices of [http://www.gt.com Grant Thornton] ([http://maps.google.com/maps?q=333+John+Carlyle+Street+Suite+500+Alexandria,+District+of+Columbia+22314+United+States&ie=UTF-8&oe=utf-8 333 John Carlyle Street Suite 500 Alexandria VA]).
 
 
The meeting will start at 1830. If you are late and can not get in, please call 703.785.9390.
 
 
The presentation for this meeting will be a reprise of Mark and Doug's [http://onelittlewindow.org/blog/?p=26 Web Application Security and Why It Matters] talk, which was suggested/requested at the last meeting in Alexandria. The presentation will cover the topics of the OWASP Top 10 and include demonstrations of exploits of the Top 5. This is geared towards newcomers to [http://www.owasp.org OWASP], but we hope that all members in the DC Metro area will attend if they have a chance. We also hope to give the DC crowd a "state of the chapter" like we did at the last meeting Columbia, and then open discussion of current events and/or any particular topics of interest will follow.
 
 
The presentation can be found [http://onelittlewindow.org/blog/wp-content/uploads/2008/07/webappsec-101-owasp-jul-08.pdf here].
 
 
 
'''June 11th 6:30pm OWASP Meeting, Columbia MD'''
 
 
This month we will be holding our meeting in Columbia MD at Aspect
 
Securities offices ([http://maps.google.com/maps?ie=UTF8&oe=utf-8&client=firefox-a&q=9175+Guilford+Rd,+Columbia,+MD+21046,+USA&ll=39.16855,-76.84413&spn=0.010198,0.018797&z=16&iwloc=addr 9175 Guilford Rd, Ste 300, Columbia, MD 21046]).  The meeting will start at 1830.  If you are late to the meeting and can not get in the door please call 301-604-4882, or hack the door. The meeting will focus on [http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf HTTP Verb Tampering] and authentication bypass with other topics as we have time.
 
 
 
'''March 20th 6pm OWASP Meeting, Columbia MD'''
 
 
This month we will be holding our meeting in Columbia MD at Aspect
 
Securities offices (address below).  The meeting will start at 6pm and
 
last to around 9pm or so (depends on the crowd).
 
 
The topic for the meeting will be  presentation by Jeff Williams on his
 
Enterprise Security API project.  (quick overview below)
 
 
  '''Securing Java EE Applications with the OWASP Enterprise Security API (ESAPI)'''
 
 
  Jeff Williams, the CEO of Aspect Security and the volunteer Chair of the
 
  OWASP Foundation, will present the new OWASP Project he is leading --
 
  the OWASP Enterprise Security API (ESAPI). ESAPI is an API and reference
 
  implementation designed to make it as easy as possible for web
 
  developers to address the most common web application security
 
  vulnerabilities, including those discussed in the OWASP Top Ten.
 
 
  ESAPI defines a simple, well-structured, and obvious interface to all
 
  the classes and methods a developer needs to build a secure web
 
  application, and comes with a reference implementation and over 600 test
 
  cases. ESAPI includes numerous new security mechanisms that are simply
 
  not present in Java EE today, including intrusion detection!
 
  Correctness, completeness, and simplicity are the three primary design
 
  goals of ESAPI.
 
 
  ESAPI provides a worked example of most security challenges faced by
 
  enterprise developers. Developers, architects, and application security
 
  specialists can use ESAPI as a baseline for what is expected in their
 
  applications. This presentation will cover the basic structure of the
 
  API, why using it represents a significant reduction in application
 
  security costs, and even why it makes projects more agile.
 
 
 
Look forward to seeing everyone there, so dont forget to set your
 
outlook/entourage/notes calendars!
 
 
Location information:
 
 
  Aspect Security, Inc.
 
  9175 Guilford Road, Suite 300
 
  Columbia, MD 21046-2565
 
  Main: 301-604-4882
 
 
 
 
 
 
 
'''February 5th 6pm Meeting, New Location!'''
 
 
This meeting will be held at a new location thanks to a new host [http://www.grantthorton.com Grant Thorton LLP].
 
 
 
Presentations
 
 
    I will be giving a presentation on the intersection between web
 
    application security and the attackers mindset.  The purpose of which is
 
    to drill home that web application security isnt just about SQL
 
    Injection, XSS, XSRF, and "web application compromises.  My approach
 
    will be to outline various methods of abusing web applications to gain a
 
    foot holds onto networks as well as leveraging vuln's to "repurpose"
 
    existing web applications to the attackers whim.  The ultimate goal of
 
    this presentation is to drill home the fact that web applications (and
 
    their insecurities) provide an attacker an amazing attack surface to
 
    leverage for various purposes, purposes which I will talk about.
 
    A few quick highlights include discussions on PHP/ASP* back door shells,
 
    PHP based IRC bots, XSS based Attack frameworks, Flash based attack
 
    frameworks, IDS evasion etc.
 
 
 
 
Location details
 
 
  Location:
 
  333 John Carlyle St
 
  Alexandria, VA 22314
 
 
 
 
 
'''The Day After'''
 
 
I want to thank everyone who attended as well as the two organizations that made yesterdays LIVE-O mini-con possible.  If it was not for these two organizations the event would not have been nearly as enjoyable as it was.
 
 
 
      [http://www.honeyclient.org/trac/wiki MITRE HoneyClient Project]
 
      [http://www.gt.com Grant Thornton]
 
      [http://www.aspectsecurity.com/ Aspect Security]
 
 
 
 
I would also like to thank the presenters who put together the interesting topics and presented them to our chapter.
 
 
For all the presentations, notes, and thoughts of the attendee's and presenters you can use the following link.
 
 
[[Washington_DC_LIVE-O]]
 
 
 
 
'''Thursday Sept 6th  LIVE O minicon!!'''
 
 
Well it looks like I have been able to finally secure a location for the
 
LIVEO mini conference.  The meeting will be held at 1:00pm at MITRE's
 
McLean Va Offices in the MITRE 1 Building.  (map to the location below)
 
 
 
If you haven't already signed up you must do so ahead of time!  Feel
 
free to pass this link around to coworkers or friends who may be
 
interested in attending.  Seating is limited to 75 people, and as such
 
we will not be able to take any more people once we have reached that
 
limit.  If you are not able to come after signing up please use the
 
same link to cancel your RSVP for the meeting.  This will free up a seat
 
for someone else to enjoy the awe inspiring presentations we have lined
 
up.    ;)
 
 
 
List of presentations
 
 
    Honeyclients and Malicious Web Servers  - Kathy Wang - Mitre
 
    A malcode perspective on web application privacy - Blake Hartstein - iDefense
 
    Practical Web Privacy with Firefox - Chuck Willis- Mandiant
 
    A sneak peak at Jeff's new "Enterprise Security API" - Jeff Williams - Aspect Security/OWASP
 
    Digital Rights Management - James Stibbards - Cloakware
 
 
Please make sure to have your ID with you for checking in when you arrive.
 
 
Map/Directions to Mini Con location
 
http://www.mitre.org/about/locations/mitre1_map.html
 
 
 
 
'''Thursday August 23rd 6pm Location Aspect Security, Columbia MD'''
 
 
I will be giving a presentation outlining some of the various "Rich Interactive Application" (RIA's) Frameworks that are being developed.
 
 
Here is the rough draft of the presentation.
 
 
Topics to go over
 
  (My unofficial plan- YTBD)
 
    Offline Web Application frameworks : The fifth horseman?
 
          I will be going over the basics of the four major "off line web app frameworks" (aka webocalypse)
 
                Adobe AIR
 
                Google Gears
 
                Microsoft Silverlight
 
                Sun JavaFX
 
            Try to go over the differences of each framework, where they fit, and why I think they suck
 
            Point out potential weaknesses of each framework
 
            Write a group letter to all the developers explaining the coming "webocalypse" (Im joking of course)
 
 
 
'''Location Information'''
 
 
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
 
 
>From I-95:
 
 
    * Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
 
    * Take the Broken Land Parkway exit
 
    * Turn left off the ramp onto Broken Land Parkway
 
    * Turn left at the light onto Guilford Road (0.5 miles)
 
 
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
 
 
We're on the third floor in Suite 300
 
 
 
 
 
 
'''Wednesday March 28th 6pm Columbia, MD'''
 
 
This meeting will be held at Aspect Security's offices in Columbia MD. The address is below.
 
Food:
 
As usual, geek food will be provided. This usually means pizza and soda.
 
 
Getting there:
 
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
 
 
>From I-95:
 
 
    * Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
 
    * Take the Broken Land Parkway exit
 
    * Turn left off the ramp onto Broken Land Parkway
 
    * Turn left at the light onto Guilford Road (0.5 miles)
 
 
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
 
 
We're on the third floor in Suite 300
 
 
 
 
 
'''Meeting: Feburary 15th 6PM'''
 
 
Andrew van der stock will be giving a presentation on the following three topics.
 
    OWASP Top 10 2007
 
    Spring of Code 2007
 
    an update on OWASP Guide 3.0 status
 
 
Watch this space as it will be updated as the meeting nears.
 
 
 
'''Location information'''
 
 
Our hosts have asked that if you are to show up for the meeting that you patiently wait in the first floor lobby for someone to escort you into the conference room that we will be using.
 
 
 
Here is the address:
 
 
[http://www.sra.com/about/index.asp?id=457 SRA Locations]
 
 
:Arlington Center (NEW! Opened 7/17/06)
 
:3434 Washington Boulevard
 
:Arlington, VA  22201-4508
 
:Phone:  (703) 284-5000
 
  
  

Revision as of 21:43, 12 December 2008

Welcome to the OWASP DC Local Chapter

The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware. In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters with common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

Chapter meetings are held several times a year, typically in the offices of our facility sponsor. Please subscribe to the mailing list for meeting announcements. You can also check out the archives of this page here Washington_DC Archives.


Chapter Sponsors

Facility Sponsor: Deloitte

Refreshment Sponsor: Securicon


<paypal>Washington DC</paypal>

Participation

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the DC-Maryland Chapter, send an email to one of the chapter co-chairs or the Mailing List.

Chapter Co-Chairs

Rex Booth

Mark Bristow

Doug Wilson


The new chapter Co-Chairs would like to extend our deepest thanks to Andre Ludwig for serving as the chapter chair for the the past 3 years. You've done a great job Dre and we hope to continue to see you at chapter meetings.

Local News

December Meeting Debrief

I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday. I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly demonstrated some of the great up and coming tools that are available to the community. As promised, I uploaded the PDF of the presentation to the Wiki, but the slides don't do the commentary justice. It can be found here.

We also took care of some housekeeping stuff:

  • We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
  • The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  • Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
  • Our next chapter meeting will be held in Feburary, topics TBD but we are soliciting speakers.

To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.


December 10th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Presentation by Kevin Johnson, InGuardians
  • Round table Discussion of Portugal Summit
  • Open discussion

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.

Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.

You can RSVP to the event on Upcoming.org: http://upcoming.yahoo.com/event/1334575


October 15th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Adam Vincent, Hacking and Hardening Web Services
  • Doug Wilson, Report on AppSec NYC 2008
  • Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.


Retrieved from "https://wiki.owasp.org/index.php?title=Washington_DC&oldid=48525"