This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Chicago"

From OWASP
Jump to: navigation, search
Line 15: Line 15:
 
==== Chapter Meetings ====
 
==== Chapter Meetings ====
  
The next quarterly Chicago OWASP Chapter meeting will be November 13th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to [email protected] by November 12th so we can enter your name into the building's security system.
+
The next quarterly Chicago OWASP Chapter meeting will be April 29th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to [email protected] by April 28th so we can enter your name into the building's security system.
  
  
 
===Agenda===
 
===Agenda===
  
6:00 Refreshments and Networking / Overview of recent OWASP projects - Cory Scott
+
6:00 Refreshments and Welcome
  
6:15 Concurrency Attacks in Web Applications - Scott Stender, iSEC Partners
+
6:15 Doing more with less? : Automate or Die - Ed Bellis, Orbitz
  
7:15 The Seven Deadly Features of Web Applications - Matasano Security
+
7:10 AppSensor: Real Time Defenses against Application Worms and Malicious Attackers - Michael Coates, Aspect Security
 +
 
 +
7:50 Rich Internet Applications - Rafal Los
  
 
===Presentation abstracts===
 
===Presentation abstracts===
  
''Concurrency Attacks in Web Applications''
+
''Doing more with less? : Automate or Die''
  
 
ABSTRACT
 
ABSTRACT
  
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.  
+
The harsh economic climate has hit us all in some way. Budgets are trimmed and spending is down. We are continuously asked to do more with less, but how? Certainly the attackers aren’t spending less! Our web applications continue to grow in size and complexity. So what can an InfoSec team do to become more efficient and still effectively protect our applications?
 +
 
 +
At Orbitz, our team took a hard look at where we were spending a lot of our time – the grunt work – and how we could spend less of it. After building out a fairly comprehensive vulnerability management program and using a lot of best in breed tools, we found ourselves with an overabundance of manual labor on our hands putting together the pieces of our vulnerability puzzle. After looking around the market space, we found nothing that could really help us with this growing problem. Low and behold, there’s a government set of standards now to put all this together. What the heck, let’s build it!
 +
 
 +
SPEAKER BIO
 +
 
 +
Ed Bellis is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.
 +
 
 +
With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.
  
Web application developers must carefully manage access to all resources that can shared by threads. Global variables, session variables, back-end systems, and application-specific data stores are common examples of such resources.
+
Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.  
  
Concurrency flaws result when access to shared resources is not managed properly - something that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed!  When manipulating those resources carries a security impact, the attackers take notice.
 
  
Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is our opinion that concurrency flaws, especially in the context of web applications, share this attribute. This presentation will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.
+
''AppSensor: Real Time Defenses against Application Worms and Malicious Attackers''
 +
 
 +
ABSTRACT
 +
 
 +
The OWASP AppSensor project was created to address the lack of defensive systems within applications. Regardless if an application is secure or insecure, malicious actions should be recorded, analyzed and responded to by the system. It is unacceptable to allow an attacker unrestricted attack attempts against the application. Eventually a known or unknown vulnerability will be discovered by the attacker and exploited. AppSensor monitors attack activity and takes defensive actions such as throttling or disabling the malicious account. Behavior analysis techniques are also employed to identify application worms. Defensive techniques are described which provide real-time containment of the application worm while maintaining overall system availability.
  
 
SPEAKER BIO
 
SPEAKER BIO
  
Scott Stender
+
Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and is completing a Masters Degree in Computer Security from DePaul University. In past years, Michael assessed the security of GSM and WiMAX telecommunication networks, application and network systems for financial institutions and performed social engineering testing.
Principal Partner, iSEC Partners
 
 
 
Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.
 
  
 
== Presentation Archives ==
 
== Presentation Archives ==

Revision as of 17:17, 12 April 2009

OWASP Chicago

Welcome to the Chicago chapter homepage. The chapter leaders are Cory Scott or Jason Witty


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Local News

<paypal>Chicago</paypal>

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders Cory Scott or Jason Witty.

The Chicago chapter is sponsored by Bank of America[1]

Chapter Meetings

The next quarterly Chicago OWASP Chapter meeting will be April 29th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to [email protected] by April 28th so we can enter your name into the building's security system.


Agenda

6:00 Refreshments and Welcome

6:15 Doing more with less? : Automate or Die - Ed Bellis, Orbitz

7:10 AppSensor: Real Time Defenses against Application Worms and Malicious Attackers - Michael Coates, Aspect Security

7:50 Rich Internet Applications - Rafal Los

Presentation abstracts

Doing more with less? : Automate or Die

ABSTRACT

The harsh economic climate has hit us all in some way. Budgets are trimmed and spending is down. We are continuously asked to do more with less, but how? Certainly the attackers aren’t spending less! Our web applications continue to grow in size and complexity. So what can an InfoSec team do to become more efficient and still effectively protect our applications?

At Orbitz, our team took a hard look at where we were spending a lot of our time – the grunt work – and how we could spend less of it. After building out a fairly comprehensive vulnerability management program and using a lot of best in breed tools, we found ourselves with an overabundance of manual labor on our hands putting together the pieces of our vulnerability puzzle. After looking around the market space, we found nothing that could really help us with this growing problem. Low and behold, there’s a government set of standards now to put all this together. What the heck, let’s build it!

SPEAKER BIO

Ed Bellis is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.

With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.

Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.


AppSensor: Real Time Defenses against Application Worms and Malicious Attackers

ABSTRACT

The OWASP AppSensor project was created to address the lack of defensive systems within applications. Regardless if an application is secure or insecure, malicious actions should be recorded, analyzed and responded to by the system. It is unacceptable to allow an attacker unrestricted attack attempts against the application. Eventually a known or unknown vulnerability will be discovered by the attacker and exploited. AppSensor monitors attack activity and takes defensive actions such as throttling or disabling the malicious account. Behavior analysis techniques are also employed to identify application worms. Defensive techniques are described which provide real-time containment of the application worm while maintaining overall system availability.

SPEAKER BIO

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and is completing a Masters Degree in Computer Security from DePaul University. In past years, Michael assessed the security of GSM and WiMAX telecommunication networks, application and network systems for financial institutions and performed social engineering testing.

Presentation Archives

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides here

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides here

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides here

Automated Thrash Testing - Andre Gironda - Presentation slides here

Defeating Information Leak Prevention - Eric Monti - Presentation slides here


[2]Webapps In Name Only Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code - Structure and Interpretation of Binary Protocols in HTTP - Protocol Debugging Tools - Web App Crypto Tricks

[3]Token-less strong authentication for web applications: A Security Review Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

Chicago OWASP Chapter Leaders

Cory Scott

Jason Witty