This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 21:06, 13 December 2011 by Dinis.cruz (talk | contribs)

Jump to: navigation, search

OWASP Seattle

Welcome to the Seattle chapter homepage. The chapter leader is Raymond Forbes

We meet monthly usually in downtown Seattle an manage our events using MeetUp. You must RSVP to attend meetings using Meetup. The chapter has a Twitter account @owaspseattle for local and event news.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Next Meeting - December 14h, 2011

List announcement

When 6:30pm - December 14

Where 801 North 34th Street, Seattle, WA (map)

Selected By: Raymond Forbes

Parking Adobe provides a small, no-pay parking lot for visitors arriving on site by car. The lot is located under the Aurora bridge, directly east of the Waterfront building.

When parking at Adobe, visitors must display a temporary parking permit from the rear view mirror of their vehicle. Guests can obtain the permit from Security when checking in with reception. The visitor must then return to his/her vehicle to hang the permit from the rear view mirror.

There's some pay parking under the Fremont Bridge, on the west side of the building. The front door is on the northeast corner of the building.

RSVP: Required Adobe also needs the names of everybody going 48 hours before the meeting. I will be sending them what we have in the event. That means, make sure you are signed up!! There is lots of room still, so definitely take a look at the event.

Meetup Link


In December we are delighted to have two presentations:

Online Identity and the Future of SAML

Eve Maler is a principal analyst serving Security & Risk Professionals. She is an expert on emerging identity and security solutions, identity federation, consumer-facing identity and web access management, distributed authorization, privacy enhancement, and web services security. Eve helps clients manage risk and utilize business opportunities through identity and access management business and technology strategy. She is based in the Seattle area.

Prior to joining Forrester, Eve was an identity solutions architect with PayPal, developing business and technical strategies for new consumer identity services offerings. Previously, Eve managed Sun Microsystems' technical collaborations with Microsoft on web services and federated identity interoperability, and she made major leadership, technical, and education contributions to the development of the SAML standard for federated identity.

OWASP O2 Platform - Automating Security Testing

This talk will be an update on what's new with the O2 Platform since last's years presentation at this chapter (see below for more details).

For more details on O2 see:

Past Events

Previous Event - November 17th, 2011

Register for this event

Talk : No SQL and even less security. Speaker : Bryan Sullivan

Location : KPMG, Suite 900 801 second avenue Seattle, WA

Time : 6pm to 8pm

To attend this meeting you must RSVP via the Meetup page due to limited spaces.

Register for this event

Previous Event 11 August (Wednesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 8/11/2010 @ 6:30ish


How OWASP Works and Guided Tour of OWASP Projects

Speaker: Dinis Cruz

This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)

Using the O2 Platform to Consume OWASP projects

Speaker: Dinis Cruz

This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.

Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.

For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.

Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.

Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences

At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board

Previous Event 28 April (Wednesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 4/28/2010 @ 6:30ish


When Tools Are Not Enough – Best Practices for Securing Web Applications

Speakers: Walter Pearce & Wade Winright from IOActive

The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing.

Walter Pearce is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.

Wade Winright is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.

Protecting Your Applications from Backdoors:

How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data

Speaker: Clint Pollock from Veracode

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; Prevalence of backdoors and malicious code in third party attacks Definitions and classifications of backdoors and their impact on your applications Methods to identify, track and remediate these vulnerabilities

Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.

Previous Event 3 February (Wednesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 2/3/2010 @ 6:30ish


Speaker: Hidetake Jo

Same Origin Policy


File:SameOriginPolicy.ppt - Same Origin Policy slide deck

File:Rendezvous.ppt - Presentation on the Rendezvous toolset

Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies.

Hidetake Jo is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.

Speaker: Pravir Chandra

Open Software Assurance Maturity Model (OpenSAMM)


Slide deck can be found here

The Open Software Assurance Maturity Model (SAMM) ( is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

Previous Event 11 August (Tuesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 8/11/2009 @ 6:30ish


Speaker: Anil Kumar Revuru

Slides: File:Anti-XSS 3.0 RV.pptx

The Microsoft Anti-Cross-Site Scripting Library

The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.

  • An expanded white list that supports more languages
  • Performance improvements
  • Performance data sheets (in the online help)
  • Support for Shift_JIS encoding for mobile browsers
  • Security Runtime Engine (SRE) HTTP module
  • A sample application

In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.

Anil Kumar Revuru currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.

Speaker: Andre Gironda

Using ASVS with the Code Review Guide, Testing Guide, and Time Management

The OWASP Application Security Verification Standards, which defines four levels of web application security verification, lays down a framework for security architecture review. While the ASVS includes many requirements for controls, it does not suggest which tools, techniques, timeline or methodologies to utilize. The OWASP Code Review and Testing Guides provide the technical practices and suggest or hint at tools, but also lack the timeline and methodology necessary to complete an application penetration-test or SDLC integration project for proper application security hygiene.

This presentation will provide the 1000 foot view all the way down to the nitty gritty details of how to perform ASVS activities using OWASP resources, as well as some OWASP and non-OWASP tools (freeware or demoware). Example timelines for typical ASVS activities, including reports, will be discussed so that any sort of application security project can be scoped properly, delivered on-time, and within budget.

Andre Gironda is an application security specialist with a global security consulting firm providing IT security services to the Fortune 500 and financial institutions as well as U.S. and foreign governments. Prior to his current employment, Andre held a number of payment application security positions in addition to working for the largest online auction website. He is currently a leader for the Open Web Application Security Project (OWASP), where he co-produces the global OWASP News Podcast.

Previous Event 28 April (Tuesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 4/28/2009


Speaker: Scott Stender

Securing our Legacy - Responding to the call to provide practical security assurance

Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.

Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.

Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives.

In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.

Speaker: Ashok Misra

Application Issues with encryption of PANs

There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.

Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.

He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.

Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.

Prior to working with Real Networks he built backend components for ecommerce for

He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.

Previous Event 23 October (Thursday)

Location: 810 Third Avenue

Seattle, WA 98104

Conference room on the first floor

Date: 10/23/2008

Time: 6:30PM


Speaker: Michael Eddington


Fuzzing is one of the hot new buzzwords in the security industry and if your clients had not already ask for it they will. This talk will introduce the subject, talk about different types of fuzzers, integration into SDL, when to fuzz and also talk a bit about the Peach Fuzzing Platform. Questions and interaction requested :)

Michael Eddington is a founding principal of Leviathan Security Group with over ten years experience in computer security, with expertise in application and network security, through threat modeling. Michael founded the security services practice for IOActive and co-founded the Security Services Center for Hewlett-Packard's services division. Michael is also an accomplished software developer, having participated in a number of open-source security development projects ranging from the Trike threat modeling conceptual framework to the Peach Fuzzer Platform.

Speaker: Chris Weber

Exploiting Unicode-enabled Software

This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.

Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products

Previous Event 12 June (Thursday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 06/12/2008

Time: 6:30PM


Speaker: Taylor McKinley

Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking

Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:

  • Explain how dynamic taint propagation works.
  • Show how to retrofit an existing executable to perform dynamic taint propagation.
  • Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.
  • Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.

The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.

Taylor McKinley, Product Manager, Fortify Software

Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.

Speaker: Scott Stender

Concurrency Attacks in Web Applications

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.

This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

Previous Event 4 March (Tuesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 03/04/2008

Time: 6:30PM


Speaker: Billy Rios

Bad Sushi - Beating Phishers at Their Own Game

This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.

Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.

This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.

This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Speaker: Jon McClintock

Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.

Jon McClintock is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.

Date: 1/23/2008


Waqas Nazir, DigitSec


Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.

Presentation Title: Emerging threats in Web 2.0

Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).

Chris Clark, iSEC Partners

Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.

Presentation Title: Ruby on Rails Security

Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.

11/29/2007 @ 6:30PM PST - Seattle chapter meeting

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 11/29/2007

Time: 6PM


Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".

Presentation Title: Hunting security bugs in your code

Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.

David E Stevens III, Senior ROI Analyst, Symplified Inc.

In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.

Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"

In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!

09/06/2007 @ 6PM PST - Seattle chapter meeting

Details: Location: Bellevue Las Margaritas 437 108th Ave NE Bellevue, WA 98004 (425) 453-0535

Time: 6 o'clock


  • Rob Rachwald - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.
    • Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?
  • Damon Cortesi - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.
    • Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.

Update: - Rob's slides can be downloaded from here. Update #2: - Damon's slides can be found here.

2/28/2007 @ 6PM PST - Seattle chapter meeting


Location: Bellevue Las Margaritas (

Time: 6 o’clock.


  • Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:
    • Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
    • OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
    • 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
  • Brad Hill (Senior Security Consultant with iSEC Partners), will be speaking on:
    • XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Previous Meeting 8 January 2007

1/8/2007 @ 6 o'clock - Seattle chapter meeting.

Details: Location: Bellevue Las Margaritas ( Time: 6 o’clock.


Ward Spagenberg of IOActive on the topic "Unraveling PCI".

Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order. We look forward to seeing you all there!