This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Bay Area"

From OWASP
Jump to: navigation, search
Line 10: Line 10:
 
   San Francisco , CA 94105
 
   San Francisco , CA 94105
  
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.
+
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.
  
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.
+
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.
  
 
==Agenda==
 
==Agenda==
Line 24: Line 24:
  
 
==Speakers==
 
==Speakers==
'''Consumerization of enterprises: a security conundrum''' by Dr. Chenxi Wang, Principal Analyst, Forrester Group
 
  
Dr. Chenxi Wang is a principal analyst with Forrester. She leads Forrester's research in areas including content security, application security, threats and vulnerability management, and software security. Chenxi brings to Forrester years of sophisticated research experience; her previous experience includes a five-year stint as an associate research professor at Carnegie Mellon University, where she published many research papers on network security and distributed systems.  
+
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com
  
Previously, Chenxi served as the chief scientist for KSR, a managed security service startup in the San Francisco bay area. Chenxi also serves as an investigative forensics expert for the Federal Trade Commission. She is the recipient of a Critical Infrastructure Protection Fellowship from the Army Research Office and the Samuel Alexander Fellowship of ACM for outstanding Ph.D. thesis research.
+
Abstract:  The more things change, the more they stay the same.  We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail?  With companies investing hundreds of thousands of dollars  or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?
  
'''Cross-Site Request Forgery- New Attacks and Defenses''' by Collin Jackson, PH.D. Student, Stanford University
+
Bio:  Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer .  He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.
  
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability, but none of the three major CSRF defenses are satisfactory and many web sites neglect to prevent login CSRF. In a login CSRF attack, an attacker uses the victim's browser to forge a cross-site request to the honest site's login URL, supplying the attacker's user name and password. This forged request can disrupt the integrity of the session and enable theft of confidential information.
+
'''Testing Methodologies:  White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant
  
Although the HTTP Referer header could be used as an effective general CSRF defense, our experiments indicate that the header is widely blocked at the network layer due to privacy concerns. Our experimental data shows, however, that the header can be used today as a reliable CSRF defense over HTTPS, which is ideal for login CSRF prevention. For the long term, we propose the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns. Additionally, we show that a network attacker can often disrupt session integrity even when the site deploys CSRF defenses, and propose additional defenses against these identity-misbinding attacks.
+
Abstract:  In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.
  
Collin Jackson is a fourth-year Ph.D. student in Computer Science at Stanford University. His research focuses on browser vulnerabilities, web authentication, mashups, and web application security.
+
Bio:  Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).
 
 
'''Google Gadget Security''' by Tom Stracener,  Sr. Security Analyst, Cenzic
 
 
 
Google Gadgets are HTML and Javascript applications that can be embedded in other web applications or the user's desktop (provided they are using Google Desktop). Gadget code is highly portable and can run on multiple sites or applications with few changes to the underlying code. This talk will focus on gadget security, an area where the current implementation is deeply flawed. We will examine Rsnake's XSS vulnerability in Google gadgets, consider possible attack scenarios, and also look at the reasons why Google chose not to fix this vulnerability. We take a critical look on they ways attackers can exploit the current Gadget implementation when performing attacks. This talk will provide the audience with background information for the upcoming Blackhat 2008 session "Xploiting Google Gadgets: Gmalware and Beyond" by Robert Hansen and Tom Stracener.
 
 
 
Tom is the Senior Security Analyst for Cenzic’s CIA Labs. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.
 
 
 
'''How Cybercriminals Steal Money''' by Neil Daswani, Google
 
 
 
This talk discusses how we can prevent cybercrime due to the most significant emerging application security vulnerabilities.  Such vulnerabilities are used to commit various types of wide-scale fraud, and attacks based on them steal money right out of people's bank accounts, capture tens of millions of credit card numbers, and aid in the construction of next-generation botnets.
 
 
 
In the talk, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security.  This talk will then:
 
 
 
* review how attacks such as XSRF (Cross-Site-Request-Forgery), XSSI (Cross-Site-Script-Inclusion), and SQL Injection work,
 
* discuss their impact on Web 2.0, AJAX, mashup, and social networking applications,
 
* outline how to defend against them, and
 
* describe how to modify a software development process to achieve security.
 
 
 
Finally, the talk will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you and your colleagues can learn more.
 
 
 
Neil Daswani has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security).  His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University.  Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g ) More information about Neil is available at http://www.neildaswani.com/
 
  
 
==RSVP==
 
==RSVP==

Revision as of 05:58, 25 February 2009

OWASP Bay Area

Welcome to the Bay Area chapter homepage.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


<paypal>Bay Area</paypal>

Next Event

Date and Location

  March 18th @ 6PM - Gap Inc
  Conference Center C
  2 Folsom Street,
  San Francisco , CA 94105

OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.

Agenda

  1.30 PM - 2.00 PM ... Check-in and registration
  2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader
  2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group
  2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University
  3:40 PM - 4:00 PM ... Networking Break
  4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic
  4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google

Speakers

Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com

Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?

Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.

Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant

Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.

Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).

RSVP

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP at http://owaspbajune2008.eventbrite.com

Bay Area Chapter Leaders

Bay Area Past Events

Bay Area Past Events

Retrieved from "https://wiki.owasp.org/index.php?title=Bay_Area&oldid=55415"