|
|
| (224 intermediate revisions by 16 users not shown) |
| Line 1: |
Line 1: |
| − | ==== About ==== | + | ==== About ==== |
| − | [[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.
| |
| | | | |
| − | We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules. | + | [[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. OWASP Northern Virginia has almost 1000 members with a wide range of experience and backgrounds. We are also one of the two hosts with OWASP DC, hosting the 2016 OWASP AppSec USA Conference in Washington, DC. We'll be looking for members to help volunteer during the next few months. |
| | | | |
| − | The original DC Chapter was founded in June 2004 by [mailto:[email protected] Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship. | + | We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules. |
| | | | |
| − | * [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]
| + | The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics. |
| − | * Follow Chapter updates through Twitter: [http://twitter.com/OWASPNoVA @OWASPNoVA]
| |
| − | * Add April 8th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&tmeid=ODJuNjBnc3ZscHBiM2lsMGd0NDA3NHA3MDAgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://mail.google.com/a/owasp.org/?ui=2&ik=4f8d006579&view=att&th=1202931d04d667bc&attid=0.1&disp=attd&zw iCal/Exchange]
| |
| | | | |
| | + | {{Chapter Template|chaptername=Northern Virginia|extra =Come see us at a chapter meeting, jump on our Google Group, or email any of us directly. |
| | | | |
| − | ==== Locations ==== | + | === Chapter Board === |
| − | '''If you plan to attend in person:'''
| + | Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board: |
| | | | |
| − | Directions to Booz Allen's One Dulles facility:
| + | * Abdullah Munawar - Board Chair |
| | + | * Ben Pick |
| | | | |
| − | 13200 Woodland Park Road
| + | Board member responsibilities include: |
| − | Herndon, VA 20171
| |
| | | | |
| − | From Tyson's Corner:
| + | <pre style="white-space: pre-wrap;"> * Providing governance for chapter and member activities in terms chapter mission and OWASP code of ethics |
| | + | * Recruiting OWASP membership |
| | + | * Driving OWASP NoVA Chapter attendance and involvement |
| | + | * Deferring to, facilitating, and supporting the activities and projects of chapter membership |
| | + | * Eliciting, scheduling, and coordinating chapter panels, speakers, and other sessions |
| | + | * Scouting, clearing, and scheduling chapter meeting venues and catering |
| | + | * Identifying opportunities for collaboration between chapter membership, OWASP global committees, and other organizations |
| | + | * Collecting and auditing use of chapter funds |
| | + | * Voting on chapter matters |
| | + | </pre> |
| | + | For more information on how the board was elected and what it's responsibilities are, please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM Chapter Board Election] |mailinglistsite=https://groups.google.com/forum/#!forum/owasp-nova|emailarchives=https://groups.google.com/forum/#!forum/owasp-nova}} |
| | | | |
| − | * Take LEESBURG PIKE / VA-7 WEST
| + | You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter. |
| − | * Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
| + | === Schedule === |
| − | * Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
| |
| − | * Take the ramp toward CHANTILLY
| |
| − | * Turn Left onto CENTERVILLE ROAD (at end of ramp)
| |
| − | * Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
| |
| − | * End at 13200 WOODLAND PARK ROAD
| |
| | | | |
| − | <br>'''If you plan to attend via Webinar:'''
| + | Meetings are (generally) held the first Thursday of the month. |
| | | | |
| − | You can attend through [[OWASPNoVA WebEx]]
| + | Note: We need speakers and topics! If you want to present, please contact [ mailto:[email protected] Mike] or [ mailto:[email protected] Abdullah] . We're very open to hearing from all our members. |
| | | | |
| − | ==== Schedule ==== | + | == Next Meeting == |
| | | | |
| − | '''Next Meeting'''<P> | + | We'll post all meetings on the Meetup page below. |
| − | April 8th 6pm-9pm EST<br>
| |
| − | LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR>
| |
| − | TOPIC: How Penetration Testing Has Matured<BR>
| |
| − | SPEAKER(S): Jeremiah Grossman, Whitehat Security<BR>
| |
| − | PANEL: Grossman, Woolwine, TBD.<BR>
| |
| − | <BR>
| |
| − | INSTRUCTIONS: RSVP through Stan Wisseman [email protected] with “OWASP RSVP” in the subject.<BR> | |
| − | <BR>
| |
| − | TALK (50min.): Jeremiah Grossman, Whitehat Security - How Penetration Testing Has Matured -- a Modern Look<BR>
| |
| − | Panel (50min.) - Grossman, Woolwine, TBD -- Critical Answers to How Your Organization Should use Penetration Testing<BR>
| |
| | | | |
| − | * View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]
| + | We can also be contacted through the comment or messages systems on Meetup. |
| − | * There will be '''no meeting''' on our regular March date (March 12) because of an OWASP event in downtown DC on Friday the 13th.
| |
| | | | |
| − | * The next meeting is '''Wednesday, April 8th, 2009.'''
| + | For latest news check the meetup page here: [http://www.meetup.com/OWASP-Northern-Virginia-Chapter/ Meetup]. |
| − | * Add April 8th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&tmeid=ODJuNjBnc3ZscHBiM2lsMGd0NDA3NHA3MDAgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://mail.google.com/a/owasp.org/?ui=2&ik=4f8d006579&view=att&th=1202931d04d667bc&attid=0.1&disp=attd&zw iCal/Exchange]
| |
| | | | |
| | + | === History === |
| | | | |
| − | ==== Contributors and Sponsors ====
| + | The original DC Chapter was founded in June 2004 by [mailto:[email protected] Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship. |
| | | | |
| − | '''Chapter Leader'''
| + | __NOTOC__ |
| | | | |
| − | | + | [[Category:OWASP Chapter]] |
| − | | + | [[Category:United States]] |
| − | '''Refreshment Sponsors'''
| |
| − | | |
| − | [[Image:Cigital_OWASP.GIF]]
| |
| − | | |
| − | '''Facility Sponsors'''
| |
| − | | |
| − | [[Image:Bah-bw.JPG|215px]]
| |
| − | | |
| − | | |
| − | __NOTOC__
| |
| − | <headertabs/>
| |
| − | <paypal>Northern Virginia</paypal>
| |
| − | | |
| − | == Past Meetings ==
| |
| − | | |
| − | ===April 2009 ===
| |
| − | ''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br>
| |
| − | Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.
| |
| − | | |
| − | Later,
| |
| − | <UL>
| |
| − | <LI>Nate Miller, Stratum Security;
| |
| − | <LI>Jeremiah Grossman, Whitehat Security;
| |
| − | <LI>Tom Brennan, Whitehat Security; and
| |
| − | <LI>Wade Woolwine, AOL
| |
| − | </UL>
| |
| − | served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.
| |
| − | | |
| − | === February 2009 ===
| |
| − | | |
| − | ''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''
| |
| − | | |
| − | Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.
| |
| − | | |
| − | This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.
| |
| − | | |
| − | Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."
| |
| − | | |
| − | (This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )
| |
| − | | |
| − | Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]
| |
| − | | |
| − | ''John Steven, Cigital'': '''Moving Beyond Top N Lists'''
| |
| − | | |
| − | Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]
| |
| − | | |
| − | | |
| − | Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.
| |
| − | | |
| − | John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.
| |
| − | | |
| − | === January 2009 ===
| |
| − | | |
| − | To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.
| |
| − | | |
| − | ''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''
| |
| − |
| |
| − | Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.
| |
| − |
| |
| − | Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.
| |
| − | | |
| − | Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]
| |
| − | | |
| − | ''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''
| |
| − | | |
| − | The primary aim of the OWASP ASVS Project is to normalize the range
| |
| − | of coverage and level of rigor available in the market when it comes to
| |
| − | performing application-level security verification. The goal is to
| |
| − | create a set of commercially-workable open standards that are tailored
| |
| − | to specific web-based technologies.
| |
| − | | |
| − | Mike Boberski works at Booz Allen Hamilton. He has a background in
| |
| − | application security and the use of cryptography by applications. He is
| |
| − | experienced in trusted product evaluation, security-related software
| |
| − | development and integration, and cryptomodule testing. For OWASP, he is
| |
| − | the project lead and a co-author of the OWASP Application Security
| |
| − | Verification Standard, the first OWASP standard.
| |
| − | | |
| − | Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]
| |
| − | | |
| − | === November 2008 ===
| |
| − | For our November 2008 meeting, we had two great presentations on software assurance and security testing.
| |
| − | | |
| − | ''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''
| |
| − | | |
| − | Nadya's presentation will provide an update on the Software Assurance
| |
| − | Forum efforts to establish a comprehensive framework for software
| |
| − | assurance (SwA) and security measurement. The Framework addresses
| |
| − | measuring achievement of SwA goals and objectives within the context of
| |
| − | individual projects, programs, or enterprises. It targets a variety of
| |
| − | audiences including executives, developers, vendors, suppliers, and
| |
| − | buyers. The Framework leverages existing measurement methodologies,
| |
| − | including Practical Software and System Measurement (PSM); CMMI Goal,
| |
| − | Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC
| |
| − | 27004 and identifies commonalities among the methodologies to help
| |
| − | organizations integrate SwA measurement in their overall measurement
| |
| − | efforts cost-effectively and as seamlessly as possible, rather than
| |
| − | establish a standalone SwA measurement effort within an organization.
| |
| − | The presentation will provide an update on the SwA Forum Measurement
| |
| − | Working Group work, present the current version of the Framework and underlying measures
| |
| − | development and implementation processes, and propose example SwA
| |
| − | measures applicable to a variety of SwA stakeholders. The presentation
| |
| − | will update the group on the latest NIST and ISO standards on
| |
| − | information security measurement that are being integrated into the
| |
| − | Framework as the standards are being developed.
| |
| − | | |
| − | Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]
| |
| − | | |
| − | ''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''
| |
| − | | |
| − | The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)
| |
| − | gives developers and testers the tools they need to make security
| |
| − | testing a regular part of their development lifecycle. Its recipe style
| |
| − | approach covers manual, exploratory testing as well automated techniques
| |
| − | that you can make part of your unit tests or regression cycle. The
| |
| − | recipes cover the basics like observing messages between clients and
| |
| − | servers, to multi-phase tests that script the login and execution of web
| |
| − | application features. This book complements many of the security texts
| |
| − | in the market that tell you what a vulnerability is, but not how to
| |
| − | systematically test it day in and day out. Leverage the recipes in this
| |
| − | book to add significant security coverage to your testing without adding
| |
| − | significant time and cost to your effort.
| |
| − | | |
| − | Congratulations to Tim Bond who won an autographed copy of Paco's book.
| |
| − | Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]
| |
| − | | |
| − | Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]
| |
| − | | |
| − | === October 2008 ===
| |
| − | For our October 2008 meeting, we had two fascinating talks relating to forensics.
| |
| − | | |
| − | ''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''
| |
| − | | |
| − | Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.
| |
| − | | |
| − | Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]
| |
| − | | |
| − | ''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''
| |
| − | | |
| − | Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.
| |
| − | | |
| − | Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]
| |
| − | | |
| − | ==Knowledge==
| |
| − | On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.
| |
| − |
| |
| − | [[Category:Virginia]]
| |
| − | [[Category:Washington, DC]] | |
meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. OWASP Northern Virginia has almost 1000 members with a wide range of experience and backgrounds. We are also one of the two hosts with OWASP DC, hosting the 2016 OWASP AppSec USA Conference in Washington, DC. We'll be looking for members to help volunteer during the next few months.
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.
The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.
Welcome to the Northern Virginia chapter homepage. Come see us at a chapter meeting, jump on our Google Group, or email any of us directly.
Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board:
For more information on how the board was elected and what it's responsibilities are, please see: Chapter Board Election
We'll post all meetings on the Meetup page below.
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
