Difference between revisions of "Boulder"

Revision as of 19:09, 14 March 2008

OWASP Boulder

Welcome to the Boulder chapter homepage. The chapter leader is Andy Lewis

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?

Next Meeting

The next meeting is Thursday, April 17th, 2008 at Corporate Express's US Headquarters at 1 Environmental Way, Broomfield, CO 80021. Ryan Barnett of Breach Security will be speaking about ModSecurity (an open-source web application firewall) and the Distributed Open Proxy Honeypots Project. Am also talking to MicroSoft now that they've announced broader support for Open-Source.

Updates will be spammed to the Chapter Mailing List.

Agenda:

6-6:30 Dinner (at Corporate Express; pizza provided by Breach Security.

6:30 - 6:40 Chapter business

6:40 - 8:00 Presentation and Q&A

Following the meeting we will have informal discussions over beverages at the Gordon Biersch Brewery and Restaurant.

Ryan C. Barnett

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, [Preventing Web Attacks with Apache "Preventing Web Attacks with Apache],” was published by Addison/Wesley in 2006.

Member Survey

Please take time to complete the member survey to help improve the value the Chapter brings to the Boulder/Front-Range community.

Local News

We're also gaining traction on a Front Range OWASP Conference (FROCo8), so if you're interested in helping or sponsoring please email Kathy Thaxton, the Conference Director... kthaxton AT businesspartnersolutions DOT com or the Project Manager, Dariush Rusta... dariush_rusta AAATTT yahoo Do+ c0m.

Dariush Rusta has volunteered to be the Project Manager for the Front Range OWASP Conference on June 10th ( THANKS Dariush). More info info to follow later...

How do I learn more about input validation?

Google for Input Validation

Some PHP Security Resources

There seem to be dang few PHP security resources. Please edit this wiki if you've got some good ones. In the mean time, here's some stuff that looks pretty good: PHP meets the Top Ten (c2006)

Fortify's "RAT" is a free tool for static code analysis...

SPI Dynamics to Speak at Feb's Chapter Meeting

Derek Zunker, my local HP rep, has volunteered to sponsor February's meeting, including providing a speaker from SPI Dynamics on February 21st.

New OWASP Tools Available - Jan 2008

Four new OWASP tools are available. OWASP Enterprise Security API helps organizations get organized about application security, OWASP CSRFTester tests for CSRF flaws, OWASP CSRFGuard stops CSRF attacks, and the fantastic new Anti-Samy component allows safe posting of rich content.

XSS defense - the "dimuitive worm contest"

RSnake hosted a contest to write the smallest XSS worm. His results are here: XSS Worm Analysis And Defense. It's good reading for anyone trying to come to grips with XSS prevention.

Flash Security Testing

The team working on the OWASP Flash Security Project has released the SWFIntruder tool to detect flash security issues like XSS and Cross-Site Flashing. It's worth a look.

Aspect-Oriented Programming

Security Focus has a very interesting article regarding AOP and security written by Rohit Sethi on October 16th, 2007. It complements and reinforces the AOP talk given by Pat White from Fortify Software for the Nov Chapter Meeting. If you know of any other useful AOP references please share by posting to the chapter mailing list...

Cool References - November 28th, 2007

Google for "Microsoft AntiXSS Library" and you'll see some pretty cool resources for stifling Cross-Site-Scripting problems.

OWASP has a similar project: http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

in addition to the OWASP Enterprise Security API project (which looks REALLY COOL):

http://www.owasp.org/index.php/ESAPI

Finally, many of the OWASP wikis are available as books, either for purchase in hard-copy or as a free download:

Online bookstore = http://stores.lulu.com/owasp Shirts hats etc... http://www.cafepress.com/owasp

Boulder OWASP News - November 15th, 2007

Several Security Professionals have expressed interest in serving as Chapter Officers or part of a Board of Directors. If this is of interest to you too please contact Andy. We expect to assemble interested parties in early Dec to plan out 2008.

What should I expect to see at a bOWASP meeting?

Each speaker will be encouraged to cover:

- demonstration of the threat ( "look!  I got EVERYONE'S credit card #!")
- overview/sample of vulnerable code, preferably in PHP, Java, or .Net env.
- some details regarding how to correct the code
- some thoughts as to how to test for the problem and/or "immunize" against it during a typical SDLC
- additional tools and references

What's a Typical Agenda for the Chapter?

6-6:30 - pizza and beverages provided by a sponsor

6:30-6:40 - intro to OWASP and Chapter Business

6:40-7:35'ish - presentation, demonstration, or workshop

7:35'ish - Q & A

after Q & A - adjourn to less formal environment

Notes From Previous Meetings

February 2008 Meeting Notes - Michael Sutton - SQL Injection

The sponsor was HP, and the speaker was Michael Sutton of HP/SPI Dynamics. Topics included:

1. Data tampering via SQL injection (verbose and blind)

2. Guidance regarding WHAT TO DO and WHAT RESOURCES ARE AVAILABLE for input validation (aka data validation).

3. SQL injection against AJAX

4. Intro and results of Michael Sutton's FUGGLE project

Michael's slide deck is available in PDF format Sutton:Revisiting SQL Injection

Michael Sutton is the co-author of "Fuzzing : Brute Force Vulnerability Discovery" and the Security Evangelist for SPI Dynamics, recently acquired by HP. Michael is responsible for identifying, researching and presenting on emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored much literature and is regularly quoted in the media on various information security topics. Michael is also a member of the Web Application Security Consortium (WASC), where he is project lead for the Web Application Security Statistics project.

Prior to joining SPI Dynamics, Michael was the Director for iDefense Labs, a team of world class researchers tasked with discovering and researching security vulnerabilities. Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He holds degrees from the University of Alberta and The George Washington University.

January 2008 Meeting Notes - Aman Garg - Web App Protection, Tips for QA and Testing

Aman Garg of TippingPoint presented "Success Stories for Resolving App Security Bugs". The 2 things that got my attention were common evasion techinques and his commitment to spending ~20% of available testing/QA time doing UNstructured testing. It must be working - TippingPoint is the market leader in the IPS space. Many thanks to Aman for presenting, to TippingPoint for sponsoring, and to Corporate Express for hosting as we all try to get better at writing more secure code!

Outline for January 17th:

Web app protection

• php exploit demo
• primer on php vulnerabilities and various layers at which these can be exploited
• primer on XSS (cross site scripting) vulnerabilities
• what you can do to make your web apps more secure

My experiences running QA/testing at TippingPoint

• conventional wisdom in testing (make a million test cases, really comprehensive regression testing)
• challenges in testing
• tradeoff between responsiveness and thorough QA cycle
• making processes secure & tamper proof
• architecture issues - separating platform from application
• best practices & recommendations from my experience

Aman's Bio: A veteran in the network security industry with over 10 years of experience, Aman Garg is currently Principal Architect at TippingPoint, where his current work focuses on design and research for new products and solutions, partnerships with other solution providers, and prototyping technology concepts. He has worn several different hats at TippingPoint - most recently, running the market /competitive analysis group, and leading the certification effort of TippingPoint products by NSS & ICSA Labs.

Mr. Garg holds an MBA from University of Texas Austin, a Masters in Electrical Engineering from Texas A&M University, and a bachelors in Electrical Engineering from Indian Institute of Technology, Kanpur. His interests are in network security and network performance testing arenas. His research work on mitigating Denial of Service attacks has been cited by several academic journals.

November Meeting Notes - Patrick White - Aspect-Oriented Programming (bolting security on effectively)

Security and AOP (Aspect Oriented Programming)

Many thanks to Corporate Express for providing the facilities, to Coalfire Systems for providing dinner, and to Fortify Software for providing the speaker!

Speaker: Patrick White, Program Manager for .Fortify Software.

Topic: Security and AOP

Aspect Oriented Programming is an incredibly interesting methodology that has gradually gained popularity over the years. As interesting as the concepts are, they are often admittedly difficult to actualize. In this talk Patrick will be examining what AOP is and how it can make a real and meaningful impact during your development. In addition, he'll look at how powerful security features can be added to an application using AOP either in sync or out sync with development.

Bio: Patrick White is a Program Manager at Fortify Software. He holds a BS in Computer Engineering and Computer Science from the University of Southern California and has earned numerous Microsoft certifications including MCSE, MCSD, and MCPD. He previously worked for several Bay Area startups and was at Microsoft before joining the Fortify Software team.

Patrick's presentation can be found here: https://www.owasp.org/images/2/27/SecurityAndAOPII_FortifySoftware20071115.pdf Yeah, sometimes it's OK to bolt on security after the fact...

September Meeting Notes - Jeremiah Grossman - Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company

First Boulder OWASP Meeting was held September 20th, 2007 Jeremiah's presentation was OUTSTANDING and MUCH APPRECIATED. Jeremiah kindly allowed it to be posted here:

https://www.owasp.org/images/f/f8/OWASP_Boulder_09202007.pdf

MANY THANKS to Whitehat Security[1], Corporate Express[2], Business Partner Solutions[3], and all who attended for making this a success!

There was also a brief discussion about integrating security into the SDLC. Here's a link for a GREAT presentation done by Michael Walters. Note the diagrams on slide 13:

http://www.squadco.com/presentations/OWASP_Denver.pdf

Also, if your QA team isn't aware of SQuAD (the Software Quality Association of Denver) you may want to point them to www.squadco.com as a resource.

September Meeting First Boulder OWASP Meeting to be held September 20th, 2007

Site: Corporate Express US Headquarters [4] 1 Environmental Way Broomfield, CO 80021

Time: Dinner and beverages will be available starting at 6 PM, compliments of Business Partner Solutions. Presentation will start at 6:30.

Speaker: Jeremiah Grossman, CTO of WhiteHat Security.

Topic: Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company

To date, information security has been focused mainly on vulnerabilities at the network and software (OS, web server, etc.) levels. However, a new battleground is quickly developing that poses an even greater threat to companies’ brands/reputations and data. As companies drive more and more business processes to the web, vulnerabilities in their custom Web applications have become the new target for a new class of hackers. And the payoff is now financial gain, not personal notoriety.

Jeremiah Grossman will: – Reveal the top 10 attacks of 2006 by creativity and scope – Predict what these attacks mean for website vulnerability management in 2007 – Present strategies to protect your corporate websites

Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Chapter Leader Links

Well-written, well-referenced SQL injection article

Cool MS Ace Team Blog

https://www.owasp.org/index.php/About_OWASP

https://www.owasp.org/index.php/How_OWASP_Works

https://www.owasp.org/index.php?title=How_OWASP_Works&diff=22690&oldid=15689 (this is a previous version of the 'How OWASP Works' page which contains some ideas about the future)

https://www.owasp.org/index.php/OWASP_brand_usage_rules

https://www.owasp.org/index.php/Chapter_Rules

https://www.owasp.org/index.php/Chapter_Leader_Handbook

https://www.owasp.org/index.php/Category:Chapter_Resources

http://www.owasp.org/index.php/Tutorial#Editing_OWASP

And finally, if you haven't seen this amazing page created by Sebastien a while back with descirptions and links to past OWASP presentations, you must check it out now: http://www.owasp.org/index.php/OWASP_Education_Presentation

Of particular interest: https://www.owasp.org/images/d/df/OWASP_-_Presentation_for_potential_sponsorships.doc

OWASP Moves to MediaWiki Portal - 11:36, 20 May 2006 (EDT)

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!