Difference between revisions of "Cincinnati"

Revision as of 00:41, 5 August 2008

Welcome to the Cincinnati OWASP Local Chapter. The chapter leader is Marco Morana. The OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the Chapter Rules.

To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. You can also review the email archives to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Upcoming Meetings

Wednesday July 30th

• Location / Venue Sponsor: Citibank 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537

For help with directions contact Citi Blue Ash help desk at (513) 979-9000 or check directions herein.

Please access the building from the visitor lobby. OWASP meetings are held at the "Buckeyes" lecture room.

• Agenda
  • 12:00 - 12:15 Peer-to-Peer Networking
  • 12:15 - 12:30 OWASP Cincinnati Chapter Update
  • 12:30 - 1:30 Presentation: Building Security Into Applications Marco M. Morana, TISO Citigroup

Catching vulnerabilities and patching applications that are already deployed in production is neither cost nor risk effective. A more cost and risk effective practice than catch and patch is to build secure software by applying security through all the phases of the Software Development Life Cycle (SDLC). Scope of the presentation is to present the rationale for software security in terms of project and risk management as well as present in details the software security activities that can be adopted by software architects, developers and testers to build secure software such as threat modeling during design, secure coding during development and secure testing during deployment. Reference to software security methodologies such as MS SDL, OWASP-CLASP and Cigital-TP are also briefly discussed as well as best practices to build security secure software when using different software development methodologies.

• RSVP is required to attend the meeting.

Citi guards verify that you pre-registered to the meeting by checking the RSVP list. Once you are checked and identified (please bring a proof of ID) you will be granted visitor access to the training facilities.

If you plan to attend the meeting please RSVP by clicking the button here!

Incoming Meetings Calendar

• August 26: The OWASP ESAPI: Joe Combs
• September 23: The CAPTCHA Security Control Marco Morana & Scott Nusbaum
• October 22: TBD Blaine Wilson

We look for presenters/contributors for the coming OWASP meetings. A presenter will receive a polo OWASP shirt and is entitled to become member of the local board. If you would like to present a topic, or if you wish to held the meeting at your company premises please send an email to the chapter leader.

Past Meetings

July Meeting

• Building Security Into Applications - Marco M. Morana, TISO Citigroup

The presentation is available herein.

How you can best start a software security initiative within your organization? Typically you start to present the business case for software security in terms of cost, threats and root causes. In the case of costs, fixing vulnerabilities by patching applications while are in production is much more expensive than fixing them before the application is ready for deployment in the production environment. The solution is to test and fix security issues during design, development and deployment. Scope of the presentation is to cover in detail software security methodologies as well as to provide organizations with a roadmap for applying security activities through all the phases of the Software Development Life Cycle (SDLC). Software security activities include: use and misuse cases to elicit security requirements, threat modeling to identify flaws in design, secure coding to identify and remediate security bugs during construction, security tests during validation and secure development and configuration. Software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP are referenced as a methodologies that can be adopted to build software security in the SDLC such as waterfall and agile. The goal of these activities is to work as checkpoints and toolgates to manage software security risks through measurements of vulnerabilities and other relevant metrics. Finally such metrics also provides the business case for software security in terms by showing a reduced number of vulnerabilities, the identification of root causes of insecure applications the reduced defect management costs incurred by the organization.

June Meeting

• SQl Injection - Dr. James Walden, Northern Kentucky University

The presentation is available herein.

Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

• Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup

The presentation is available herein.

CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

• The New Face of Cybercrime Movie Premiere And Follow Up Discussion.

Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

    Meeting Sponsor      

The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

• Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

• An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

• OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)

The presentation is available herein.

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

• Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)

The presentation is available herein.

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

• Webgoat and Webscarab Security Tools Use Cases - Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Board Members

Scope of the board is to discuss and approve local activities, meetings and plans.The board meets informally on the by-weekly basis every other Friday at 7.30 AM at Panera Bread in Blue Ash Directions

The board currently includes the following members:

• Chapter Leader: Marco Morana
• Vice Chapter Leader: Allison Shubert
• Secretary: Blaine Wilson
• Chairman of the Board: H. Wayne Browning
• Public Relations: Andy Erickson

About OWASP

The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership

OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.