This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Los Angeles"

From OWASP
Jump to: navigation, search
(Wednesday, December 16th, 2009 7:30PM)
(Wednesday, January 20th, 2010 7:30PM)
Line 21: Line 21:
 
* <b>Do VLANs allow for good application security?</b>
 
* <b>Do VLANs allow for good application security?</b>
 
<br>
 
<br>
As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage <http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/> functionality included in the emerging HTML 5 <http://dev.w3.org/html5/spec/Overview.html>  specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.
+
Virtual Local Area Networks (VLANs) are not a new concept, and can help
 +
any organization better control network access. I will present some of
 +
the previous issues identified, what was the root cause, and how these
 +
have been fixed in current technology. In addition we will talk about
 +
how this can help to enhance security in your environment, and what
 +
controls must be in place in order to implement such an environmentWe
 +
will also touch on how this can complicate your application environment,
 +
but improve overall security.
  
Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given web application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.
+
I will touch on the controls that need to be reviewed and audited when
 +
working with VMware, VLANs, and web applications, to ensure that these
 +
networks are secure, and what to look for to potentially pass audit
 +
criteria. I will also talk about where and how these controls have been
 +
implemented in order to protect thousands of users while accessing one
 +
of the most hostile networks in the world.
 
<br><br>
 
<br><br>
  
<B>Michael Sutton</B>,Vice President and security research at Zscaler, has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.   
+
<B>David M. N. Bryan</B>,
 +
Senior Security Consultant
  
Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.
+
David has over 9+ years of computer security experience including,
 +
consulting, engineering and administration.  He has performed security
 +
assessment projects for health care, nuclear, manufacturing,
 +
pharmaceutical, banking and educational sectors.  As an active
 +
participant in the information security community, he volunteers at
 +
DEFCON where he designs and implements the Firewall and Network for what
 +
is said to be the most hostile network environment in the world.
 +
 
 +
He is also an active participant in the local Minneapolis security
 +
groups both as a board member of OWASP MSP and DC612. His roots and
 +
experience come from working for a large enterprise banks, designing and
 +
managing enterprise security systems.  In the more recent years he has
 +
been working as an Information Security Consultant to review the
 +
security and architecture of information computing environments.
  
 
= Would you like to speak at an OWASP Los Angeles Meeting? =
 
= Would you like to speak at an OWASP Los Angeles Meeting? =

Revision as of 21:32, 23 December 2009

OWASP Los Angeles

Welcome to the Los Angeles chapter homepage. The chapter leader is Cassio Goldschmidt


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


<paypal>LosAngeles</paypal>

Local News

Upcoming Chapter Meetings


   Meeting Location
   Symantec Corporation
   900 Corporate Pointe
   Culver City, CA 90230
   Laguna Conference Room



Wednesday, January 20th, 2010 7:30PM

  • Do VLANs allow for good application security?


Virtual Local Area Networks (VLANs) are not a new concept, and can help any organization better control network access. I will present some of the previous issues identified, what was the root cause, and how these have been fixed in current technology. In addition we will talk about how this can help to enhance security in your environment, and what controls must be in place in order to implement such an environment. We will also touch on how this can complicate your application environment, but improve overall security.

I will touch on the controls that need to be reviewed and audited when working with VMware, VLANs, and web applications, to ensure that these networks are secure, and what to look for to potentially pass audit criteria. I will also talk about where and how these controls have been implemented in order to protect thousands of users while accessing one of the most hostile networks in the world.

David M. N. Bryan, Senior Security Consultant

David has over 9+ years of computer security experience including, consulting, engineering and administration. He has performed security assessment projects for health care, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN ~ to submit educational topic for upcoming meeting please submit your BIO and talk abstract via email to Cassio Goldschmidt. When accepted it will be required to use the following powerpoint OWASP Template


This page provides a list of previous presentations conducted at the Los Angeles Chapter.


Los Angeles Chapter Leader