This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 17:33, 27 March 2008 by Ashubert (talk | contribs)

Jump to: navigation, search

OWASP Cincinnati

Welcome to the Cincinnati chapter homepage. The chapter leader is Marco Morana


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the mailing list and the attendance to the meeting has been very good. The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will feature the premiere of the movie: " The New face of Cybercrime".A trailer can be preview here The plan is to hold a special topic meeting on Cross Site Request Forgery (CSRF) in May and another one on SQL injection in June/July. We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit your proposal in powerpoint format using the OWASP Template and include the speaker's BIO and send an email to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email to the chapter leader.

April Meeting

Please Join us for the exciting Fortify premeier.

<img src="top.jpg" alt="The New Face of CyberCrime: Private Screening" width="500" height="646" border="0" />
<a href=""><img src="middle_reserve.jpg" alt="Reserve your seat now" width="500" height="77" border="0" /></a>
<a href=""><img src="lowerleft_fortify.jpg" alt="Fortify Software" width="250" height="99" border="0" /></a> <a href=""><img src="lowerright_owasp.jpg" alt="WAMU" width="250" height="99" border="0" /></a>

March Meeting

When: March 25th, 2008, 6.15 PM presentation starts 6.30 PM

Where: Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537. 
Please access the building from the visitor lobby. 

RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to Blaine Wilson . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

Session Topics:

Source Code Reviews and Open Source Static Analysis Tools

Presented by: Allison Shubert, Security Specialist, Citigroup

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

An Introduction to Web Proxies

Presented by:Blaine Wilson, Technology Information Security Officer, Citigroup

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective

Who: Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger) The presentation is available herein.

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

When: January 29th, 2008, 11:30am - 1:00pm

General Session Topic: Introduction to OWASP

Who: Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger) The presentation is available herein.

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases

Who: Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Leaders