This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Sao Paulo"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
__NOTOC__
 +
 
__NOTOC__
 
__NOTOC__
  
Line 17: Line 19:
 
==== Meetings & Events ====
 
==== Meetings & Events ====
 
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.
 
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.
 +
 +
 +
'''July 2011 Meeting'''
 +
 +
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')
 +
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here]
 +
* Jack Mannino will speak on '''Building Secure Android Applications'''
 +
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 +
 +
 +
'''NEW LOCATION'''  Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room
 +
 +
 +
'''About our Speakers'''
 +
 +
:'''Jack Mannino'''
 +
 +
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
 +
 +
:'''Abstract'''
 +
 +
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
 +
 +
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
 +
 +
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
 +
 +
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.
 +
 +
 +
==== Participation ====
 +
 +
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.
 +
 +
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].
 +
 +
==== Twitter ====
 +
<!-- Twitter Box --> {|
 +
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
 +
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter>
 +
 +
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
 +
|}
 +
 +
 +
 +
==== News & Meetings ====
 +
 +
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]
 +
 +
'''March 2010 Meeting'''
 +
 +
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
 +
* Jeff Ennis from Veracode will be presenting on Application Risk Management
 +
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
 +
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
 +
* Doug Wilson will update on plans for future meetings and upcoming events.
 +
 +
'''About our Speakers'''
 +
 +
'''Jeff Ennis'''
 +
 +
:Jeff Ennis is a Solutions Architect for Veracode, Inc.  He has more than 20 years experience in information technology.  He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as  they dealt with an ever-changing threat landscape..  Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
 +
 +
:'''Abstract'''
 +
 +
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product.  The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software.  Ensuring that these entities are creating secure software is becoming a daunting task.  Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application.  During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.
 +
 +
'''Dan Philpott'''
 +
 +
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.
 +
 +
'''Chuck Willis'''
 +
 +
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.
 +
 +
'''December 2009 Meeting'''
 +
 +
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 +
* We will be recapping and discussing AppSecDC and the OWASP Summit
 +
* We will discuss other recent events such as the DHS Software Assurance Forum Conference
 +
* We will be talking about the coming year and upcoming events
 +
* We will open up the floor for discussion of current events or concerns.
 +
 +
'''Addition to Agenda'''
 +
 +
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
 +
 +
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.
 +
 +
'''September 2009 Meeting'''
 +
 +
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 +
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
 +
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.
 +
 +
 +
'''XAB -- The Abstract:'''
 +
 +
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.
 +
 +
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.
 +
 +
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.
 +
 +
 +
'''About our speakers:'''
 +
 +
'''Matthew Flick, Principal'''
 +
'''FYRM Associates'''
 +
 +
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.
 +
 +
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.
 +
 +
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.
 +
 +
 +
'''Jeff Yestrumskas'''
 +
'''Sr. Manager InfoSec @ Cvent'''
 +
 +
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.
 +
 +
 +
 +
'''August 2009 Meeting'''
 +
 +
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 +
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World
 +
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.
 +
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]
 +
 +
About our speakers:
 +
 +
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
 +
 +
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
 +
 +
:'''Vulnerability Management in an Application Security World'''
 +
 +
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 +
 +
 +
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
 +
 +
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.
 +
 +
 +
'''April Meeting Debrief'''
 +
 +
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.
 +
 +
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.
 +
 +
We'd also like to thank:
 +
* George Washington University and their great staff for the meeting space and A/V support
 +
* Securicon and Mark Bristow for arranging refreshements.
 +
 +
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!
 +
 +
 +
'''April 22nd 6:30 PM OWASP Meeting, Washington DC
 +
 +
This month we will be holding our meeting at The George Washington University in downtown DC.
 +
 +
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 +
 +
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].
 +
 +
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote>
 +
 +
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications.  Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote>
 +
 +
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote>
 +
 +
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote>
 +
 +
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.
 +
 +
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.
 +
 +
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]
 +
 +
 +
''Note on Transportation and Parking''
 +
 +
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
 +
 +
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
 +
 +
 +
 +
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''
 +
 +
This month we will be holding our meeting at The George Washington University in downtown DC.
 +
 +
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 +
 +
This month's agenda:
 +
 +
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
 +
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
 +
* 7:45 - 8:00 Break
 +
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra
 +
 +
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008
 +
 +
 +
''Note on Transportation and Parking''
 +
 +
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
 +
 +
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
 +
 +
 +
'''December Meeting Debrief'''
 +
 +
I'd like to take this opportunity to once again thank Kevin for coming
 +
out to talk to us at the meeting Wednesday.  I thought his
 +
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly
 +
demonstrated some of the great up and coming tools that are available
 +
to the community.  As promised, I uploaded the PDF of the presentation
 +
to the Wiki, but the slides don't do the commentary justice.  It can
 +
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].
 +
 +
We also took care of some housekeeping stuff:
 +
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library.  Everyone remember to thank Amy for offering up GW's meeting spaces to us.
 +
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09.  More details will come out as we firm up dates/speakers/locations and calls for volunteers!
 +
* Rex talked for a few minutes about the Portugal Summit.  The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]
 +
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].
 +
 +
To those who attended the meeting on Wednesday, thanks for coming out,
 +
we had a great turnout and I hope to have even more attendees next
 +
time.  For those who were unable to attend, I hope to see you all at
 +
our next meeting.
 +
 +
 +
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
 +
 +
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 +
 +
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 +
 +
This month's agenda is as follows:
 +
 +
* Presentation by Kevin Johnson, InGuardians
 +
* Round table Discussion of Portugal Summit
 +
* Open discussion
 +
 +
Kevin Johnson is a Senior Security Analyst with InGuardians.  Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.
 +
 +
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.
 +
 +
You can RSVP to the event on Upcoming.org:
 +
http://upcoming.yahoo.com/event/1334575
 +
 +
 +
'''October 15th 6:30pm OWASP Meeting, Washington DC'''
 +
 +
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 +
 +
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 +
 +
This month's agenda is as follows:
 +
 +
* Adam Vincent, Hacking and Hardening Web Services
 +
* Doug Wilson, Report on AppSec NYC 2008
 +
* Open discussion
 +
 +
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.
 +
 +
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
 +
 +
 +
 +
==== History ====
 +
 +
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.
 +
 +
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.
 +
 +
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.
 +
 +
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.
 +
 +
 +
<headertabs />
 +
 +
<paypal>Washington DC</paypal>
 +
 +
Facility Sponsor: Currently Open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}
 +
 +
 +
[[Category:OWASP Chapter]]
 +
[[Category:Washington, DC]]
 +
[[Category:Maryland]]
 +
  
  

Revision as of 20:12, 22 July 2011



Welcome

Welcome to the Home Page of the Washington DC OWASP Chapter.


Our next meeting is July 21st 6:00pm Map | Register


  • The chapter Co-Chairs are Mark Bristow, and Doug Wilson. Please contact us with any questions about the chapter.
  • Please subscribe to the mailing list for meeting announcements.
  • You can follow us on Twitter as @OWASPDC
  • Our recent meetings are documented on the News & Meetings tab.
  • You can also check out the archives of this page here Washington_DC Archives.

Meetings & Events

Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.


July 2011 Meeting

Our next meeting is July 21st 6:00pm 2445 M Street NW Washington, DC 20037 (*NOTE NEW LOCATION*)

  • Please Register Here
  • Jack Mannino will speak on Building Secure Android Applications
  • Doug Wilson & Mark Bristow will update on current and upcoming events.


NEW LOCATION Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room


About our Speakers

Jack Mannino
Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
Abstract
Building Secure Android Applications - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.


Participation

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the Mailing List.

Twitter

You can follow us on Twitter as @OWASPDC <twitter>23609877</twitter>


News & Meetings

Archives from earlier meetings than contained on this page can be found in the Washington_DC Archives

March 2010 Meeting

  • Our next meeting will be March 24th at 6:30 PM, at 801 22nd Street NW, Room B149 on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
  • Jeff Ennis from Veracode will be presenting on Application Risk Management
  • Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
  • Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
  • Doug Wilson will update on plans for future meetings and upcoming events.

About our Speakers

Jeff Ennis

Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
Abstract
Application Risk Management - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.

Dan Philpott

Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.

Chuck Willis

Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.

December 2009 Meeting

  • Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
  • We will be recapping and discussing AppSecDC and the OWASP Summit
  • We will discuss other recent events such as the DHS Software Assurance Forum Conference
  • We will be talking about the coming year and upcoming events
  • We will open up the floor for discussion of current events or concerns.

Addition to Agenda

Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.

September 2009 Meeting


XAB -- The Abstract:

Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.

XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.

During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.


About our speakers:

Matthew Flick, Principal FYRM Associates

Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.

Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.

Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.


Jeff Yestrumskas Sr. Manager InfoSec @ Cvent

Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.


August 2009 Meeting

About our speakers:

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
Vulnerability Management in an Application Security World
This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.


Michael Smith is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.


April Meeting Debrief

We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.

Our big announcement of the meeting was that we are kicking off the Call for Papers for AppSec DC 2009, slated for November 10-13 at the DC Convention Center.

We'd also like to thank:

  • George Washington University and their great staff for the meeting space and A/V support
  • Securicon and Mark Bristow for arranging refreshements.

We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our mailing list!


April 22nd 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at 2201 G St. NW Washington, DC 20037

This month, we will have Jon Rose speaking about Flash Remoting and Deblaze.

Deblaze - A remote method enumeration tool for flex servers.
Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.
This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.
The latest version can be found at deblaze-tool.appspot.com

Doug Wilson will also discuss the recent OWASP Software Assurance Day that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.

We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.

You can RSVP for the event on Upcoming.org


Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.


February 5th 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting is in Duques Hall, Room 553, which is located at 2201 G St. NW Washington, DC 20037

This month's agenda:

  • 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
  • 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
  • 7:45 - 8:00 Break
  • 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra

You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008


Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.


December Meeting Debrief

I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday. I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly demonstrated some of the great up and coming tools that are available to the community. As promised, I uploaded the PDF of the presentation to the Wiki, but the slides don't do the commentary justice. It can be found here.

We also took care of some housekeeping stuff:

  • We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
  • The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  • Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
  • Our next chapter meeting will be held in Feburary, topics TBD but we are soliciting speakers.

To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.


December 10th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Presentation by Kevin Johnson, InGuardians
  • Round table Discussion of Portugal Summit
  • Open discussion

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.

Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.

You can RSVP to the event on Upcoming.org: http://upcoming.yahoo.com/event/1334575


October 15th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Adam Vincent, Hacking and Hardening Web Services
  • Doug Wilson, Report on AppSec NYC 2008
  • Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.


History

The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware.

In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.

In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.

The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.


<paypal>Washington DC</paypal>

Facility Sponsor: Currently Open      Refreshment Sponsor: Securicon.gif       



OWASP Sao Paulo

Welcome to the Sao Paulo chapter homepage. The chapter leader is Leonardo Buonsanti


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Next Meeting Location and Date:
17 de Janeiro de 2011 das 19:30 às 22:00 hrs.
Endereço: Avenida das Nações Unidas, 7221 Sala Contigo no espaço Victor Civita.
Estacionamento: Rua Sumidouro ou Gilberto Sabino.

Everyone is welcome to join us at our chapter meetings.

Twitter

You can follow us on Twitter @OWASPSaoPaulo <twitter>335668871</twitter>