This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Philadelphia"

From OWASP
Jump to: navigation, search
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:[email protected] Aaron Weaver], [mailto:[email protected] John Baek].
+
{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:[email protected] Aaron Weaver], [mailto:[email protected] John Baek] and [mailto:[email protected] Evan Oslick].
  
 
Follow us [https://twitter.com/phillyowasp @phillyowasp]
 
Follow us [https://twitter.com/phillyowasp @phillyowasp]
Line 5: Line 5:
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}
  
== All Meetings Listed on Meetup.com ==
+
<meetup group="OWASP-Philadelphia" />
 
 
[https://www.meetup.com/OWASP-Philadelphia/ Philadelphia OWASP Meetup]
 
 
 
== Next Meeting '''Thursday, January 19 AT 5:45'''==
 
 
 
'''Where:''' AXINet
 
 
 
'''Please RSVP:''' https://www.meetup.com/OWASP-Philadelphia/events/236793133/
 
 
 
'''Agenda:'''
 
 
 
5:45 - 6:00 | Introduction and settle-in (Alpine Cyber Solutions)
 
 
 
6:00 - 6:40| Aaron Weaver (Philadelphia OWASP Chapter Lead) Securing AWS with LAMBDA
 
 
 
6:40 - 7:10 | Open Forum - Bring your questions, successes, and stories!
 
 
 
== Next Meeting '''MON, DEC 5 AT 6 PM - 8:00 PM'''==
 
 
 
'''Where:''' OSI Soft
 
 
 
'''Please RSVP:''' https://www.meetup.com/OWASP-Philadelphia/events/235918332/
 
 
 
 
 
'''Agenda:'''
 
*Food
 
*Enemy's State of Mind, John Baek
 
 
 
== Next Meeting '''Tuesday, June 14th AT 5:30 PM - 8:00 PM'''==
 
 
 
'''Where:''' OSISoft
 
 
 
'''Please RSVP:''' https://www.eventbrite.com/e/june-owasp-chapter-meeting-at-osisoft-tickets-25911192073
 
 
 
'''Come join us at OSISoft while we chat about AppSec.'''
 
 
 
'''Agenda:'''
 
*Food!
 
*Building a Threat Modeling Practice in 7 Easy Steps, Anurag Agarwal
 
*Android Pentesting, Sandeep Jayashankar
 
 
 
== Next Meeting '''THU, MAY 12 AT 5:45 PM - 8:00 PM'''==
 
 
 
'''Where:''' Navy Yard
 
 
 
'''Please RSVP:''' https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-at-the-navy-yard-tickets-24938728408
 
 
 
'''Come join us at the Navy Shipyard while we chat about AppSec.'''
 
 
 
'''Agenda:'''
 
*Food!
 
*The Illusion of Control: Security and Your Software Supply Chain, Derek Weeks
 
*Building your Own Security ChatBot, Aaron Weaver
 
 
 
== Prior Meeting '''April 12, 2015 from 11:30 AM - 1:30 PM'''==
 
 
 
'''Where:''' Cisco, Reading Terminal Room - 301 Lindenwood Dr. Suite 201 , Malvern, PA
 
 
 
'''Please RSVP:''' https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-in-malvern-at-cisco-tickets-24256973260
 
 
 
Join us on Tuesday for lunch while we chat about AppSec.
 
 
 
'''AppSec Evolved: Continuous Security and Pipelines'''
 
 
 
'''Abstract:'''
 
The security community has been slow to follow the lead of software developers and their adoption of process automation. What can we as security professionals glean from the Agile, Lean, DevOps and CI/CD methods implemented by these industry unicorns? This presentation will show how to catch up by providing examples of security being successfully adapted to these models.
 
First, we will demonstrate how to configure an automated test harness from traditional manual testing. No need to re-test. Automation has you covered. Next, we’ll take two different companies’ experiences with running AppSec groups, Rackspace / Pearson, and later incorporate the concept of a build pipeline. Finally, we will show what can be done when these procedures are combined with actual year over year results that include 24/7 remediation advice, automated report generation, ChatOps and more. Learn how an Appsec Pipeline can keep your AppSec live productive and sane.
 
 
 
'''Matt BIO:'''
 
Matt Tesauro is the CTO of Infintiv, a Senior Software Security Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec USA, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools. He holds two degrees from A&M University and several security and Linux certifications.
 
 
 
'''Greg BIO:'''
 
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. Though he primarily focuses on cloud security, Greg’s recent endeavors have been centered around incorporating vulnerability assessments into continuous delivery systems.
 
Greg’s previous work focused on unconventional attack vectors and how to maximize their impact while avoiding detection. He has presented at DEFCON and LASCON and is a Chapter Leader at OWASP San Antonio.
 
 
 
== Next Meeting '''March 23, 2015 from 5:45 PM - 8:00 PM'''==
 
 
 
'''Where:''' 32nd Floor, Radian - 1500 Market Street Philadelphia Philadelphia, PA 19103
 
 
 
RSVP:https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-at-radian-tickets-22477335315
 
 
 
Join us on Wednesday for food while we chat about AppSec.
 
 
 
'''Application Event Logging'''
 
 
 
One of the most important sources of information for security threat detection and investigation is often the most neglected in the application development process. We're talking about application event logging - it isn't often sexy or interesting, but it could be the key to detecting an attack or compromise, or may provide the ability to successfully investigate unauthorized activities or operational issues.
 
 
 
If it is so important, then why are application developers not building an event logging framework into every application? And, why are the events that are being logged from many applications useless for security purposes or difficult to consume?
 
 
 
In this session we'll aim to answer these questions:
 
- Why are developers not implementing application logging capabilities?
 
- What mistakes are being made in the events that are logged?
 
- What should be logged?
 
- In what format should events be logged?
 
- What is the difference between security events and operational events? And, should we care about both?
 
 
 
'''Chris McGinley, CISSP, CCE'''
 
Chris is a Managing Partner at BTB Security based out of Bala Cynwyd, PA. Chris has been practicing the information security profession for over 10 years and has been in and around the world of IT for nearly 25 years.
 
 
 
'''Static Analysis Programs – Current State and Future Direction'''
 
Static analysis has grown in demand over the past decade and is now seen as one of the key practices in many software security initiatives across different industry verticals. When people think of static analysis, they immediately think of tools and automated solutions.
 
 
 
While there are several well-known tool vendors in the marketplace, there is not enough knowledge and experience in successfully implementing such technology in real-world organizations. Successful static analysis program implementation does not come without challenges and involves a progressive time-consuming journey. Effective program implementation should strategically account for people, process, and technology.
 
 
 
This presentation provides a holistic view of how the industry has taken its shape over the past decade, and what organizations need to know when planning for a new static analysis initiative.
 
 
 
'''Mr. Aravind Venkataraman''' is the Director of Cigital’s Static Analysis practice. He has over 8 years of experience in software security and network security. At Cigital (www.cigital.com), he has spent the past 6 years helping a number of Fortune 100 companies build and run software security practices. He has performed planning, advisory and operational roles in building such practices. He specializes in deploying static analysis programs. He has helped several organizations deploy and run static analysis capabilities of different sizes and shapes.
 
He presently plays a technical leadership and program advisory role both for internal staff and clients based out of Washington DC.
 
 
 
== Previous Meeting '''Tuesday, February 23, 2015 from 11:45 PM - 1:30 PM'''==
 
 
 
'''Where:''' 505 Eagleview Dr. Suite 102 Exton, PA
 
 
 
RSVP: https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-at-corebts-tickets-21285130398
 
 
 
Join us on Tuesday for lunch while we chat about AppSec.
 
 
 
'''It's 10pm, Do You Know Where Your Access Keys Are?'''
 
 
 
We know that a large number of organizations are using AWS or are planning to. We also know that hackers are targeting organization’s AWS infrastructure. What you may not know, is how hackers are doing this and what you can do about it.
 
 
 
Join us as Ken Johnson, CTO of nVisium, discusses harnessing existing AWS functionality to strengthen your organization’s AWS infrastructure against practical attacks. Ken will show you what attackers are looking for, how they are finding you, how to secure your environment, and how to answer the question “Our access keys have been stolen, what do we do now?”.
 
 
 
Ken leads nVisium's product development efforts and is responsible for the security of engineering infrastructure and code. Ken co-built the Railsgoat project, an open-source security-centric training platform for Ruby on Rails developers, and is a frequent speaker on both security and development topics - DevOpsDays DC, LASCON, AppSec Cali, OWASP DC, RubyNation.
 
 
 
== Next Meeting '''Thursday, January 21, 2015 from 6:00 PM - 8:00 PM'''==
 
 
 
'''When:''' Thursday, January 21, 2015 from 6:00 PM - 8:00 PM<br>
 
'''Where:''' Venture F0rth located on 417 N. 8th  Street
 
 
 
Meetup: http://meetu.ps/2Qn7x3
 
 
 
Join us on Thursday while we'll be going over XSS in depth, reviewing advanced attacks and frameworks such as BeEF - The Browser Exploitation Framework Project.
 
 
 
== Past Meeting '''Tuesday, December 15, 2015 from 5:00 PM - 8:00 PM'''==
 
 
 
'''When:''' Tuesday, December 15, 2015 from 5:00 PM - 8:00 PM <br>
 
'''Where:''' Radian 32nd Floor, 1500 Market St. 32nd Floor, East Tower Philadelphia, PA 19103
 
 
 
'''Please [https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-at-radian-tickets-19898696537 register] so that we can get an accurate count for ordering Pizza.'''
 
 
 
Come show off your hacking skills as we hack against OWASP Security Shepherd and then listen to a presentation about secure coding.
 
 
 
== Past Meeting '''Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM'''==
 
 
 
'''When:''' Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM<br>
 
'''Where:''' OSIsoft 1700 Market Street, Suite 2201 Philadelphia (22nd Floor, signs for the conference room will be posted.)
 
 
 
'''Please [https://www.eventbrite.com/e/owasp-chapter-meeting-at-osisoft-tickets-19402906616 register] so that we can get an accurate count for ordering Pizza.'''
 
 
 
'''Title:  [https://www.owasp.org/images/b/bd/OWASP-IoT.pptx IoT Beyond the Hype]'''<br>
 
'''Presenter:''' Justin C. Klein Keane is the security architect for ThingWorx (http://www.thingworx.com), a PTC business, that makes IoT development framework software.  Justin has over 15 years of experience in the security field and is a major contributor to the OWASP IoT Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project), a member of the Build it Securely group (BuildItSecure.ly), the Securing Smart Cities project (http://securingsmartcities.org), and an official contributor to the Online Trust Alliance feedback to the Federal Trade Commission's proposed guidelines on IoT security and privacy (https://otalliance.org/iot-comments-draft-trust-framework).
 
 
 
'''Abstract:'''  IoT security is one of the most exciting new fields in the industry, but few understand its scope beyond hacking your connected toaster. Hospitals, industry, and agriculture are all leveraging IoT to realize value from big data, predictive analytics, remote management, and cloud connectivity.  IoT is more than just the next evolution from desktop to web to mobile to cloud.  IoT presents very real, and new, challenges, including machine to machine (M2M) trust, transitive ownership, and more.  The OWASP IoT Project seeks to define this new problem space, enumerate common vulnerabilities, and propose methodologies for secure development.  This talk will provide an overview of the OWASP IoT Project and movement in the problem space that goes well beyond hacking cars and baby monitors.
 
 
 
'''Title:  Getting out of the Comfort Zone'''<br>
 
'''Presenter:''' Aaron Weaver, Associate Director - Application Security, Protiviti
 
 
 
'''Abstract:''' In the last few years the development and operation practices have changed significantly in many organizations. Many organizations are embracing DevOps and what started out as an idea a few years ago with startups and large cloud companies is now being adopted by banks and traditional retailers. We in the security community need to be part of this change or we will be ignored or bypassed. It's time for security to look for news ways to enable change in a secure manner while still allowing the business to move at the speed they require.
 
 
 
== Previous Meeting '''Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM'''==
 
 
 
'''When:''' Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM<br>
 
'''Where:''' Temple University, SERC (1925 N 12th Street, Philadelphia) room 358
 
 
 
 
 
'''Topic:  OWASP Primer - Security and Penetration Testing'''<br>
 
'''Presenter:''' John Baek, OSCP, CISSP, CISA
 
 
 
'''Abstract:'''
 
 
 
Forthcoming
 
 
 
 
 
== Previous Meeting '''Thursday, July 30, 2015 from 11:30 AM - 1:00 PM'''==
 
 
 
'''When:''' Thursday, July 30, 2015 from 11:30 AM - 1:00 PM<br>
 
'''Where:''' Giordano's Pizza  633 E Cypress St, Kennett Square, PA 19348
 
 
 
 
 
'''Topic:  Building an AppSec Pipeline'''<br>
 
'''Presenter:''' Aaron Weaver
 
 
 
'''Abstract:'''
 
 
 
Are you currently running an AppSec program?  AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart.  How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you're catching vulnerabilities as early and often as possible?
 
 
 
This talk will discuss a real world case study of an AppSec Pipeline. The pipeline starts with "Bag of Holding", an open source web application which helps automate and streamline the activities of your AppSec team.  At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place. This talk will cover the motivation behind an AppSec pipeline, its implementation and how it can help you get the most out of your AppSec program.
 
 
 
'''Topic:  Back to Basics: Application Assessment 101 - Pen Test Using Proxy Tool (Burp Suite Pro/ZAP)'''<br>
 
'''Presenter:''' John Baek
 
 
 
'''Abstract:'''
 
 
 
We will drill down one aspect of web application assessment: web app penetration test. We'll discuss a popular tool for performing web app pen test and what the tester needs to understand to make it a successful/useful assessment. The techniques presented here can be used in your SDLC to look for security flaws (hopefully prior to the production release).
 
 
 
== Previous Meeting: '''Thursday, September 25th, 2014 from 11:30 AM - 1:30 PM'''  ==
 
 
 
'''OWASP Philly/ Lunch Meeting Thursday September 25th'''
 
 
 
'''When:''' Thursday, September 25th, 2014 from 11:30 - 1:30 PM<br>
 
'''Where:''' Protiviti - 50 S 16th St, Philadelphia, PA 19102
 
 
 
Food will be provided, [http://www.eventbrite.com/e/owasp-philly-lunch-meeting-tickets-13142911803 please RSVP].
 
 
 
'''Topic:  Securing The Android Apps On Your Wrist and Face'''<br>
 
'''Presenter:''' Jack Mannino
 
 
 
'''Abstract:'''
 
 
 
Android Wear introduces new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.
 
 
 
Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.
 
 
 
In this presentation, we will explore how Android Wear works underneath the hood. We will examine its methods of communication, data replication, and persistence options. We will examine how these applications into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.
 
 
 
'''Bio:'''
 
 
 
Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android and code written in Scala. He’s also an optimistic New York Mets fan, although that optimism slowly fades away every summer.
 
 
 
== Previous Meeting: '''Tuesday, March 11, 2014 from 6:00 - 7:30 PM'''  ==
 
 
 
'''OWASP Philly/ Meeting '''
 
 
 
'''When:''' Tuesday, March 11, 2014 from 6:000 - 7:30 PM<br>
 
'''Where:''' 3220 Market St. Room 369
 
 
 
 
 
'''Topic:  Proven Strategies for Web Application Security'''<br>
 
'''Presenter:''' Justin C. Klein Keane and Aaron Weaver
 
 
 
'''Abstract:'''
 
 
 
The rising dominance of the web as an application delivery platform has focused attacker attention squarely on the security of dynamic web applications. Application security is a complex, and shifting, field. Learn about and discuss tested and successful techniques to build safer applications, find flaws before they become vulnerabilities, and deploy applications that can detect, and resist attack.  Includes a discussion of common web application vulnerabilities such as the OWASP Top 10.
 
 
 
== Previous Meeting: '''Tuesday,August 13th, 2013 from 7:000 - 8:30 PM'''  ==
 
'''OWASP Philly/ Meeting '''
 
 
 
'''When:''' Tuesday ,August 13th, 2013 from 7:000 - 8:30 PM<br>
 
'''Where:''' University of Pennsylvania, [http://www.facilities.upenn.edu/maps/locations/fisher-bennett-hall Fisher-Bennett Hall] room 322
 
 
 
 
 
'''Topic:  HTML5 Security'''<br>
 
'''Presenter:''' Justin C. Klein Keane or others
 
 
 
'''Abstract:'''
 
 
 
HTML 5 Security
 
 
 
While HTML 5 is a wonderful tool for developer, the new features also present some new security challenges.  Security in HTML 5 is a widely varied topic and we may not yet understand all of the security challenges it will bring.  HTML 5 poses a major paradigm shift in the way that web applications are delivered and consumed and time will tell whether this will result in a net positive or negative for security.  The new anti-XSS mitigation features of HTML 5 are amazing, and well worth investigating if you're looking to develop a new application.
 
 
 
Presentation material available at https://sites.sas.upenn.edu/kleinkeane/presentations/html-5-security
 
 
 
'''Reminder:'''
 
 
 
OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)!  It's a short trip and an awesome opportunity to hear some really great talks.  If folks want to go, please register with the discount code "Support_PHI" to support the chapter.  Additionally, if you're going to go, it's $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member) so join!
 
 
 
'''Upcoming Events:'''
 
* Friday, October 11 is [http://drupaldelphia.com/ Drupaldelphia], at the Philadelphia Convention Center
 
* Friday-Sunday, October 25-27 is [http://pumpcon.org/ Pumpcon] in Philadelphia, follow [https://twitter.com/pumpcon @pumpcon]
 
 
 
 
 
 
 
== Previous Meeting: '''Tuesday, January 8th, 2013 from 7:000 - 8:30 PM'''  ==
 
'''OWASP Philly/ Meeting - University of Pennsylvania, Fisher-Bennett Hall Hall Room 224'''
 
 
 
'''When:''' Tuesday, January 8th, 2013 from 7:000 - 8:30 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall Hall Room 224
 
 
 
 
 
'''Topic:  Capture the Flag Exercise'''<br>
 
'''Presenter:''' Justin C. Klein Keane
 
 
 
'''Abstract:'''
 
 
 
NB: Please RSVP to [email protected] for this meeting if you plan to attend so that we can provide sufficient materials for all attendees.
 
 
 
Capture the Flag (CTF) exercise.  Come learn about how web applications are compromised by actually breaking one yourself.  This hands on exercise will guide attendees through common web application vulnerabilities and their potential impact by allowing participants to utilize tools to test and attack a target web application in a controlled environment.  The exercise will include a vulnerable virtual machine image and documentation on one of many possible routes to complete the exercise. 
 
 
 
This meeting will be lead by Justin Klein Keane, a veteran of web application capture the flag exercises and maintainer of the LAMPSecurity project on SourceForge.net (https://sourceforge.net/projects/lampsecurity).  This exercise will be released as part of the LAMPSecurity project after the meeting.
 
 
 
 
 
== Previous Meeting: '''Tuesday, November 27th, 2012 from 7:000 - 8:30 PM'''  ==
 
'''OWASP Philly/ Meeting - Meyerson Hall, Room B4'''
 
 
 
'''When:''' Tuesday, November 27th from 7:000 - 8:30 PM<br>
 
'''Where:''' University of Pennsylvania, Meyerson Hall, Room B4, Philadelphia
 
 
 
 
 
'''Penetration Testing - Attack Vector and Vulnerability Trends'''<br>
 
'''Presenter:''' Shannon Schriver and Garrett Fails
 
 
 
'''Abstract:'''
 
 
 
The more things change, the more they stay the same. Even though the Top Ten hasn't been updated since 2010, the vulnerabilities that are prevalent in the wild in 2012 still map directly to items on the list.
 
 
 
Shannon Schriver and Garrett Fails, penetration testers for PwC, will be discussing the most successful web application vulnerabilities and attack vectors that they have used during client penetration tests in 2012. Topics will include local file inclusion, insecure administrative consoles (including JBoss and Tomcat), and WPAD man-in-the-middle browser vulnerabilities.
 
 
 
== Previous Meeting: '''Monday April 16th, 2012, from 7:00 - 8:30 PM'''  ==
 
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''
 
 
 
'''When:''' Monday, Monday April 16th from 7:000 - 8:03 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia
 
 
 
 
 
'''HECTOR, our evolving security intelligence platform'''<br>
 
'''Presenter:''' Justin Klein Keane
 
 
 
'''Abstract:'''
 
 
 
Asset management is an ever present challenge for any IT organization,
 
and especially so for information security groups.  Even more
 
challenging is data aggregation for intelligent security analysis (or
 
security intelligence).  HECTOR is an effort by the University of
 
Pennsylvania's School of Arts and Sciences to provide such a security
 
intelligence platform.  Organizing assets, scanning for vulnerabilities
 
and profiles, correlating attacks on your network to services offered by
 
hosts, tracking changes, following remediation, and making information
 
available to multiple users via a web interface are all goals of HECTOR.
 
HECTOR leverages honeypot technology, darknet sensors, port scans,
 
vulnerability scans, intrusion detection systems, the powerful open
 
source MySQL database, and a PHP based web front end to provide security
 
intelligence to security practitioners. 
 
 
 
HECTOR is an evolving, open source effort that attempts to leverage a wide variety of tools and
 
information sources to empower security practitioners with better
 
insights as well as to track and trend security related data.  Come hear
 
about HECTOR in advance the official open source launch at the Educause
 
Security Professionals 2012 conference.  Presentation material will
 
include a discussion of the philosophy behind HECTOR, the open source
 
technologies that make HECTOR work, as well as design challenges and
 
solutions.  Even if you don't end up using HECTOR the presentation seeks
 
to spur new ideas and ways of thinking about asset management and
 
security data.
 
 
 
== Previous Meeting: '''Friday September 16th, 2011, from 1:00 PM - 4:15 PM'''  ==
 
'''Joint Meeting with ISSA-DV, Infragard -  VWR International, Radnor Corporate Center'''
 
 
 
'''When:''' Friday September 16th, 1:00 PM<br>
 
'''Where:''' VWR International
 
Radnor Corporate Center
 
100 Matsonford Road
 
Wayne, PA 19087
 
 
 
'''Register:''' [http://www.issa-dv.org/meetings/registration.php Please register to attend this free conference]
 
 
 
===Agenda===
 
 
 
{| class="wikitable"
 
|-
 
| '''1:00 - 1:15'''
 
| '''OWASP, INFRAGARD, ISSA Joint Session''' 
 
|''Registration''
 
|-
 
|'''1:15 – 2:00'''
 
|'''Dan Kuykendall, CTO NT Objectives'''
 
|''"Not Your Granddad's Web App."''
 
|-
 
|'''2:00 – 2:45'''
 
|'''Jack Mannino from nVisium Security'''
 
|''"Building Secure Android Apps"''
 
|-
 
|'''2:30 – 2:45'''
 
|'''BREAK'''
 
|
 
|-
 
|'''2:45 – 3:30'''
 
|'''CEO Matthew Jonkman Emergingthreats.net'''
 
|''Open Information Security Foundation (OISF Suricata)''
 
|-
 
|'''3:30 – 4:15'''
 
|'''Aaron Weaver - OWASP'''
 
|''Breaking Botnets: Finding App Vulnerabilities in Botnet Command & Control servers''
 
|}
 
 
 
'''Directions to [http://www.mapquest.com/maps?address=100+Matsonford+Rd&city=Radnor&state=PA&zipcode=19087 VWR International]'''
 
 
 
== Previous Meeting: '''Monday June 20th, from 6:30 - 8:00 PM'''  ==
 
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''
 
 
 
'''When:''' Monday, June 20th from 6:30 - 8:00 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia
 
 
 
''Three lightning round presentations'' - Each presentation will be about 20 minutes long
 
 
 
* Using PHP for Security - Justin C. Klein Keane
 
* Perl for AppSec - Darian Anthony Patrick
 
* What does your metadata say about your organization? A look at the open source tool Foca - Aaron Weaver
 
 
 
Thanks to Penn for hosting the OWASP event!
 
 
 
'''Directions:'''
 
The building entrance faces the intersection of 34th and Walnut
 
streets and the room is on the third floor.  Folks should bring
 
identification and if the guard asks let him know you are coming to the OWASP
 
meeting.
 
 
 
== Previous Meeting: '''Monday, May 23rd, from 6:30 - 8:00 PM'''  ==
 
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''
 
 
 
'''When:''' Monday, May 23rd from 6:30 - 8:00 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia
 
 
 
'' The Search for Intelligent Life''
 
 
 
'''Synopsis:''' For years organizations have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of information and decision support.
 
 
 
In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your security and the threats that may effect it.
 
 
 
'''Bio:''' Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
 
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.
 
 
 
For a summary of the presentation please see http://www.madirish.net/justin/security-intelligence-philly-owasp-ed-bellis
 
 
 
'''Directions:'''
 
The building entrance faces the intersection of 34th and Walnut
 
streets and the room is on the third floor.  Folks should bring
 
identification and let the guard know they're coming for the OWASP
 
meeting.
 
 
 
== Previous Meeting: '''Monday, April 11th, from 6:30 - 8:00 PM'''  ==
 
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''
 
 
 
'''When:''' Monday, April 11th from 6:30 - 8:00 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia
 
 
 
'''Topic: TBD'''
 
 
 
Supervisory Special Agent Brian Herrick of the Philadelphia FBI - Cyber Squad
 
 
 
The building entrance faces the intersection of 34th and Walnut
 
streets and the room is on the third floor.  Folks should bring
 
identification and let the guard know they're coming for the OWASP
 
meeting.
 
 
 
== Previous Meeting: '''Monday, March 7th, from 6:30 - 8:00 PM'''  ==
 
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''
 
 
 
'''When:''' Monday, March 7th from 6:30 - 8:00 PM<br>
 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia
 
 
 
'''The Power of Code Review'''
 
 
 
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security.
 
*As a volunteer to OWASP, Dave is:
 
*A member of the OWASP Board,
 
*The OWASP Conferences Chair,
 
*Project lead and coauthor of the OWASP Top 10,
 
*Coauthor of the OWASP Application Security Verification Standard, and
 
*Contributor to the OWASP Enterprise Security API (ESAPI) project.
 
 
 
The building entrance faces the intersection of 34th and Walnut
 
streets and the room is on the third floor.  Folks should bring
 
identification and let the guard know they're coming for the OWASP
 
meeting.
 
 
 
For a write up of the meeting please see http://www.madirish.net/justin/owasp-philadelphia-march-7-2011-meeting
 
 
 
== Previous Meeting: '''Tuesday, August 17th, 2010 6:30pm - 8:00pm'''  ==
 
'''OWASP Philly/ Meeting - 307 Levine Hall'''
 
 
 
'''When:''' Tuesday, August 17th, from 6:30 - 8:00 PM<br>
 
'''Where:''' University of Pennsylvania, 307 Levine Hall, Philadelphia
 
 
 
'''Mobile App Security Techniques'''
 
 
 
Look left, look right, look in your pocket, you probably glanced over a cellular phone. These devices are getting more and more pervasive in today's society. More importantly they are getting very powerful. This new market of software users have been the catalyst of the "app" boom. Everyone is jumping on board and developing mobile applications. This influx of mobile application development means there are a large number of mobile applications that get rushed to the market before they can be properly reviewed from a security standpoint. So guess what, more bugs for the taking!
 
 
 
In this talk we will lay out a few basic techniques that we use when we perform mobile application assessments, highlight possible pit falls that one should be aware and hopefully give those up and coming mobile application penetration testers a leg up on the competition.
 
 
 
'''Raj Umadas''' is a Consultant with the Intrepidus Group. Mr. Umadas graduated Summa Cum-Laude from The Polytechnic Institute of NYU with a BS in Computer Engineering. At NYU:Poly, Mr. Umadas pursued a highly expansive computer security curriculum. He is just as comfortable sniffing out a memory corruption bug as he is assessing the risk management decisions of large projects.
 
 
 
Coupled with Mr. Umadas' fresh academic outlook on security, he obtained a no-nonsense business sense of security while working in an Information Risk Management arm of a large investment bank. Corporate governance, segregation of duties, and SOX compliance were all daily concerns for Mr. Umadas.
 
 
 
Mr. Umadas is eager to establish his own niche in the security world where he will be the catalyst of some very major innovation. With his strong academics, proven real world experience, and never-say-no attitude; it is only a matter of time.
 
 
 
For a summary of this presentation please see http://www.madirish.net/security-tools/470
 
 
 
== Previous Meeting: '''Tuesday, July 20th, 2010 6:30pm - 8:30pm'''  ==
 
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''
 
 
 
All are welcome to join us on Tuesday as we discuss web application security.
 
 
 
When: Tuesday, July 20th, 2010 6:30pm - 8:30pm<br />
 
Where: Fisher-Bennett Room 401, University of Pennsylvania<br />
 
3340 Walnut Street St.
 
Philadelphia, PA  19104
 
 
 
'''Agenda:'''<br>
 
1.) Opening Remarks<br>
 
2.) Balancing Security & Usability, Justin Klein Keane<br>
 
3.) Arshan Dabirsiaghi - Aspect Security<br>
 
4.) Informal meetup afterwards at New Deck
 
 
 
[http://owaspphiladelphia.eventbrite.com/ Please RSVP]
 
 
 
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Fisher-Bennett]
 
 
 
Questions should be directed to [mailto:[email protected] Aaron Weaver]
 
 
 
'''User Interface and Security in Web Applications'''
 
 
 
Security is often seen as a competing priority to good user experience, but the two are not diametrically opposed. Good user experience is essential to good security. Without ease of use, most people simply ignore or bypass security protections in systems. In order to craft effective security measures it is essential to take user experience into consideration. With the meteoric growth of web applications as a medium for service delivery it is critical to deploy good security measures. Web applications offer an always on, globally available target for attackers. Users need to be allies in the drive for application security, but far too often security measures are presented as onerous, time consuming, bothersome add-on's to web applications rather than seamlessly integrated, easy to use, user friendly features. In this talk I propose to explore some of the reasons why good security in web applications matters and how you can make security effective by making it easy to use.
 
 
 
'''Speaker: Justin Klein Keane'''
 
 
 
Bio: Justin C. Klein Keane has over 8 years of experience in information
 
security starting with his role as Editor in Chief of the Hack in the
 
Box e-zine.  Currently Justin works as in Information Security
 
Specialist with the University of Pennsylvania School of Arts and
 
Sciences' Information Security and Unix Systems group.  Justin's past
 
work included several positions as a web application developer, often
 
utilizing PHP.  Justin is a regular contributer to the Full-Disclosure
 
mailing list and is credited with dozens of vulnerability discoveries.
 
Justin holds several ethical hacking and penetration testing
 
certifications and regularly posts computer security related articles on
 
his website http://www.MadIrish.net.
 
 
 
== Previous Meeting: '''Thursday, December 3rd, 2009 6:30pm - 8:30pm'''  ==
 
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''
 
 
 
'''This is a joint meeting with the [http://www.meetup.com/phillyphp/ Philadelphia Area PHP Meetup group]'''. All are welcome to join us on Tuesday as we discuss web application security.
 
 
 
When: December 3rd, 2009 6:30pm - 8:30pm<br />
 
Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania<br />
 
3330 Walnut St.
 
Philadelphia, PA  19104
 
 
 
'''Agenda:'''<br>
 
1.) Opening Remarks<br>
 
2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane<br>
 
3.) TBD: Bruce Diamond<br>
 
 
 
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104.&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Levine Hall]
 
 
 
Questions should be directed to [mailto:[email protected] Darian Anthony Patrick]
 
 
 
'''Discovering PHP Vulnerabilities Via Code Auditing'''
 
 
 
Abstract: PHP provides an accessible, easy to use platform for developing dynamic
 
web applications.  As the number of web based applications grow, so too
 
does the threat from external attackers.  The open and global nature of
 
the web means that web applications are exposed to attack from around
 
the world around the clock.  Automated web application vulnerability
 
scanning technology is still very much in its infancy, and unable to
 
identify complex vulnerabilities that could lead to complete server
 
compromise.  While intrusion detection systems prove very valuable in
 
detecting attacks, the best way to prevent vulnerabilities is to engage
 
in active code review.  There are many advantages of direct code review
 
over automated testing, from the ability to identify complex edge
 
scenario vulnerabilities to finding non-exploitable flaws and fixing
 
them proactively.  Many vulnerabilities in PHP based web applications
 
are introduced with common misuse of the language or misunderstanding of
 
how functions can be safely utilized.  By understanding the common ways
 
in which vulnerabilities are introduced into PHP code it becomes easy to
 
quickly and accurately review PHP code and identify problems.  In
 
addition to common problems, PHP includes some obscure functionality
 
that can lead developers to unwittingly introduce vulnerabilities into
 
their applications.  By understanding the security implications of some
 
common PHP functions, code reviewers can pinpoint the use of such
 
functions in code and inspect them to ensure safety.
 
 
 
Speaker: Justin Klein Keane
 
 
 
Bio: Justin C. Klein Keane has over 8 years of experience in information
 
security starting with his role as Editor in Chief of the Hack in the
 
Box e-zine.  Currently Justin works as in Information Security
 
Specialist with the University of Pennsylvania School of Arts and
 
Sciences' Information Security and Unix Systems group.  Justin's past
 
work included several positions as a web application developer, often
 
utilizing PHP.  Justin is a regular contributer to the Full-Disclosure
 
mailing list and is credited with dozens of vulnerability discoveries.
 
Justin holds several ethical hacking and penetration testing
 
certifications and regularly posts computer security related articles on
 
his website http://www.MadIrish.net.
 
 
 
----
 
 
 
== Previous Meeting: '''October 27th, 2009 6:00pm - 9:00pm'''  ==
 
'''OWASP Philly Meeting - Comcast - Philadelphia'''
 
 
 
<b>Presentations:</b><br>
 
[http://www.owasp.org/images/7/79/Agile_Practices_and_Methods.ppt Agile Practices and Methods]<br>
 
[http://www.owasp.org/images/d/d0/OWASP-AJAX-Final.ppt AJAX Security]<br>
 
[http://www.owasp.org/images/0/06/Adobe_AMF.ppt Adobe AMF]<br>
 
 
 
Food and space provided by Comcast.
 
 
 
'''Sponsor:'''
 
[[Image:comcastlogo.gif]]
 
 
 
When: October 27th, 2009 6:00pm - 9:00pm
 
Where: Floor (TBD), Comcast, 1701 John F Kennedy Blvd Philadelphia, PA  08054
 
 
 
'''Agenda:'''<br>
 
1.) OWASP Meeting Opening Remarks: Bruce A. Kaalund Director, Product Security<br>
 
2.) Development Issues Within AJAX Applications: How to Divert Threats: Tom Tucker, Cenzic<br>
 
3.) Agile Software Development Principles and Practices : Ravindar Gujral, Agile Philadelphia<br>
 
4.) Testing Adobe Flex/SWF's, focusing on flash remoting (AMF): Aaron Weaver, Pearson eCollege<br>
 
 
 
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1701+John+F+Kennedy+Blvd+philadelphia&sll=39.954255,-75.16839&sspn=0.006908,0.013711&ie=UTF8&hq=&hnear=1701+John+F+Kennedy+Blvd,+Philadelphia,+Pennsylvania+19103&ll=39.956185,-75.168393&spn=0.006908,0.013711&t=h&z=16&iwloc=A Directions to Comcast]
 
 
 
'''Development Issues Within AJAX Applications: How to Divert Threats'''
 
 
 
Speaker: Tom Tucker
 
 
 
Bio: Tom Tucker has over 25 years of experience within the enterprise hardware, software, network, and security market.  As a Senior Systems Engineer at Cenzic, Tom works directly with customers to protect their Web applications from hacker attacks.  Previously Tom's worked with Tier 1 and Tier 2 Network Service Providers such as BBN, GTE, AT&T, iPass, New Edge Networks and MegaPath Networks, designing firewall, VPN, WAN, LAN and Hosting solutions. Tom was also the Director of Intranet Engineering for Associates Information Services (now a part of Citigroup) implementing secure Internet technology solutions for both internal and external application delivery.
 
 
 
 
 
----
 
 
 
== Previous Meeting: '''Wednesday June 24th 2009, 6:30 PM - 8:00 PM'''  ==
 
'''OWASP Philly Meeting - AccessIT Group - King of Prussia'''
 
 
 
Pizza provided by AccessIT Group.
 
 
 
'''Sponsors:'''
 
[[Image:Logo_accessitgroup.gif]][[Image:Sanslogo_vertical.jpg]]
 
 
 
'''Agenda:'''<br>
 
1.) OWASP Introduction<br>
 
2.) How to Analyze Malicious Flash Programs - Lenny Zeltser<br>
 
3.) OWASP .NET, OWASP Report Generator,OWASP Cryttr/Encrypted Syndication - Mark Roxberry<br>
 
 
 
[http://atlas.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=Access+It+Group+Inc&address=2000+Valley+Forge+Cir&city=King+of+Prussia&state=PA&zipcode=19406 Directions]
 
 
 
2000 Valley Forge Circle<br>
 
Suite 106<br>
 
King of Prussia, PA 19406<br>
 
 
 
AccessIT Group is located in the 2000  Building (middle building) of the Valley
 
Forge Towers.  The offices are located on the bottom floor of the
 
building.  Parking is available in the front or rear of the building. 
 
 
 
'''How to Analyze Malicious Flash Programs'''
 
 
 
by Lenny Zeltser (http://www.zeltser.com)
 
 
 
'''About the talk:'''
 
Attackers increasingly use malicious Flash programs, often in the form of banner ads, as initial infection vectors. Obfuscation techniques and multiple Flash virtual machines complicate this task of analyzing such threats. Come to learn insights, tools and techniques for reverse-engineering this category of browser malware.
 
 
 
'''Bio:'''
 
Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. You can stay in touch with him via http://twitter.com/lennyzeltser.
 
 
 
'''OWASP .NET, OWASP Report Generator, OWASP Cryttr / Encrypted Syndication'''
 
 
 
by Mark Roxberry
 
 
 
About the talk:  Mark is looking to generate some interest in participating in OWASP projects.  He will be speaking about projects that he is involved in and hoping to recruit folks who have time, energy and motivation to help out.
 
 
 
Bio:  Mark Roxberry is a frequent contributor of research and code to OWASP.  His credits include OWASP Testing Guide contributor and reviewer, the OWASP .NET Project Lead, the OWASP Report Generator Lead and just recently the OWASP Encrypted Syndication Lead.  He is a Senior Consultant at Database Solutions in King of Prussia.  Mark has a B.S. in Russian Technical Translation from the Pennsylvania State University and has the CEH and CISSP certificates hanging in his bunker where he tries to figure out how to hack into Skynet when it comes online.
 
 
 
== Previous Meetings ==
 
 
 
Next Meeting: <br>'''October 28th 2008, 6:30 PM - 8:00 PM'''
 
<br>OWASP Philly Meeting - Protiviti - Two Libery Place Philadelphia
 
 
 
Come join us in Philadelphia as we discuss web application security.
 
 
 
'''Agenda:'''<br>
 
1.) Web Application Security and PCI requirements (V 1.1 and 1.2)<br>
 
2.) Clickjacking: What is it and should we be concerned about it?<br>
 
3.) Summary of OWASP conference in New York.
 
 
 
[Google Directions][http://maps.google.com/maps?q=50+South+16th+St+Philadelphia,+PA&ie=UTF-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&sa=X&oi=geocode_result&resnum=1&ct=title]
 
 
 
Two Libery Place 50 South 16th St<br>
 
Suite 2900<br>
 
Philadelphia, PA 19102 USA<br>
 
  
 
[[Category:Pennsylvania]]
 
[[Category:Pennsylvania]]

Latest revision as of 22:37, 31 October 2018

OWASP Philadelphia

Welcome to the Philadelphia chapter homepage. The chapter leaders are Aaron Weaver, John Baek and Evan Oslick.

Follow us @phillyowasp


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Chapter Meetings

Visit our group on meetup.com