This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Washington DC"

From OWASP
Jump to: navigation, search
(Local News)
 
(203 intermediate revisions by 20 users not shown)
Line 1: Line 1:
==  Welcome to the OWASP Washington, DC-Maryland Local Chapter ==
+
__NOTOC__
  
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters with common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.
+
{{Chapter Template|chaptername=Washington DC|extra=The chapter leaders are [mailto:[email protected] Emily Verwee], [mailto:andrew.weidenhamer@owasp.org Andrew Weidenhamer] and [mailto:[email protected] Bryan Batty].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/Owasp-washington|emailarchives=http://lists.owasp.org/pipermail/Owasp-washington}}
  
Chapter meetings are held several times a year, typically in the offices of our sponsor. Please subscribe to the [http://lists.sourceforge.net/lists/listinfo/owasp-washington/ mailing list] for meeting announcements.
+
== Local News ==
 +
 
 +
'''Next Meeting - The Groovy Landscape & Grails Security''' 6:30PM Thursday, July 10th UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC
 +
 
 +
Everyone is welcome to join us at our chapter meetings.
 +
 
 +
 
 +
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br>
 +
 
 +
* Please checkout our Meetup page (http://www.meetup.com/OWASPDC/) for the latest announcements or subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting information.
 +
 
 +
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]
 +
 
 +
* Our recent meetings are documented on the News & Meetings tab.
 +
 
 +
* You can also check out the archives of this page here [[Washington_DC Archives]].
 +
 
 +
 
 +
= Meetings & Events =
 +
 
 +
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br><br>
 +
 
 +
'''Next Meeting - The Groovy Landscape & Grails Security'''
 +
 
 +
The next meeting will be on Thursday, July 10, 2014 from 6:30 PM to 8:30 PM (EDT) at
 +
 
 +
'''Location:''' UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC
 +
 
 +
Please RSVP for the event here: http://www.meetup.com/OWASPDC/
 +
 
 +
'''Presentation Overview:'''
 +
1st Talk - "The Groovy Landscape"
 +
 
 +
This talk is geared to those who are new to Groovy and the goal is to put the Groovy language in is proper context. We will try to answer the following questions:
 +
 
 +
What are the properties of the language?
 +
When and why was it developed?
 +
Who is using it and who maintains it?
 +
Where can I use it?
 +
How do I get started or contribute to development?
 +
 
 +
2nd Talk - "Grails Security"
 +
 
 +
Grails is a framework developed for Groovy in the vein of Rails for Ruby. It provides a lot of features for web app security, but does it do enough? What might you need to implement yourself, and what might be provided? This presentation will discuss tips on securing Grails applications, including tools that the framework provides by default for security. It'll also discuss several shortcomings in the current toolset, and how you can avoid them.
 +
 
 +
'''Speaker:'''
 +
David James -  David is a software developer and consultant who helps enterprise clients deliver software that makes a business impact. He has been developing applications on the JVM for fifteen years and leverages Groovy on a daily basis. David is involved in the Arlington coworking community and is the founder of the DC Groovy user group.
 +
 
 +
Cyrus Malekpour - Cyrus (@cmalekpour) is a software developer at nVisium, working on web app development and security. He's currently an undergraduate student at the University of Virginia, where he's studying computer science with an emphasis on security and backend development. Most of his passion is in designing and developing secure applications, but he also has an interest in breaking into things. In his free time, he likes to read, watch movies, and cycle.
 +
 
 +
= Participation =
 +
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.
 +
 
 +
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br><br>
 +
 
 +
= Twitter =
 +
<!-- Twitter Box --> {|
 +
 
 +
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
 +
 
 +
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter>
 +
 
 +
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
 +
 
 +
|}
 +
 
 +
= News & Recent Meetings =
 +
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br>
 +
 
 +
'''May 2014 Meeting'''
 +
 
 +
'''Presentation Overview:''' As mobile dating applications grow in popularity, so does our interest in the security posture behind them. There are a vast number of mobile dating applications available for use today by anyone with a smart phone. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly.
 +
 
 +
We will cover popular features such as location-based services, analytics, sharing of information, in-app purchasing, and any other features we discover to be interesting. We will analyze the type of personal data being stored within these applications, communication channels used to transmit information, hardware interaction with the application, and interaction with other applications on the device. We will answer the big questions posed by those who use these apps or want to use these apps: Are these applications disclosing sensitive information? How private is the communication between me and another user? How can I be sure my data is being protected?
 +
 
 +
This talk will feature highlights from popular, obscure, and scary dating applications to answer a simple question: “Can you find love on the Internet without having your personal data exposed?”
 +
 
 +
'''Speaker:'''
 +
Jack Mannino is an Application Security expert with over a decade of experience building, breaking, and securing into complex systems. Jack is Co-Founder and CEO of nVisium, while also leading research and development initiatives. With experience developing in Java, Objective-C, and C#, he performs risk assessments and penetration tests for Fortune 500 companies and government agencies. Jack also founded and leads the OWASP Mobile Application Security Project, which is a global initiative to build secure development standards for mobile. He is an active Android security researcher with a keen interest in large-scale security analysis.
 +
 
 +
Abdullah Munawar is an Application Security consultant at nVisium who specializes in mobile application testing and ripping apart new things. With over 7 years of experience, Abdullah previously worked on the security teams at financial and aviation organizations. Abdullah attempts humor on a daily basis and succeeds most of the time, every time.
 +
 
 +
'''March 2014 Meeting'''
 +
 
 +
'''Presentation Overview:''' How is identity and access management (IAM) implemented in your in-house applications?  Do the developers who implement it have IAM expertise?  Does every team implement their own IAM?
 +
Enterprise framework development teams with IAM expertise can address the problem by creating APIs that enable developers without IAM expertise to implement the IAM correctly.  This presentation explains what an enterprise identity API is, why it's worthwhile to create one and how it might be done.
 +
 
 +
'''Speaker:'''
 +
Adam Migus (@amigus) - Adam currently works as an IT architect helping his clients devise and execute technology strategy. Prior to that he was a Principal Security Architect at E*TRADE Financial where he created APIs as a means to improve software security. Adam believes that software quality is critical to software security and that many application security concerns can be addressed through enterprise APIs.  He's also held positions at McAfee and Symantec.  He earned his B.Sc. in Computer Science from Memorial University of Newfoundland, where he also started his career in earnest as a network administrator.
 +
 
 +
'''February 2014 Meeting'''
 +
 
 +
'''Presentation Overview:''' Bojan Simic will provide a short background into Bitcoin and how it works. He will then provide some of his firsthand experiences with the state of Bitcoin businesses with regard to security and how many individuals are (insecurely) handling their Bitcoins. These experiences will demonstrate some "hacks" that pertain to the OWASP Top 10 as well as other types of vulnerabilities. The talk will include an overview of simple security steps that individuals and businesses who are working with Bitcoin should take to in order to mitigate the chance of hackers stealing Bitcoin and Personally Identifiable Information (PII) from them and their customers.
 +
 
 +
'''Speaker:'''
 +
Bojan is a security engineer in the industry as well as the founder and main contributor to the Bitcoin Security Project (https://bitcoinsecurityproject.org). The project is a free and open source resource that is dedicated to spreading security awareness across the Bitcoin community by helping individual bitcoin holders and businesses follow security best practices. These practices ensure better security of individual holders' investments and Bitcoin business customers.
 +
 
 +
Professionally, Bojan has performed hundreds of penetration tests, threat modeling, and security code reviews of different applications. These reviews identify vulnerabilities associated with software, the network software, and infrastructure they are deployed on. He also performs research in the field of web application security and teaches developer training on web application best practices, architecture, and security.
 +
 
 +
'''January 2014 Meeting'''
 +
 
 +
'''Summary''':
 +
This talk will include how organizations build AppSec programs, how to gain Executive and organizational-wide acceptance to your AppSec program and the current trends within the application security industry.
 +
 
 +
If you have a specific question you would like discussed please just send Rinaldi or Mike McCabe an email and they will try to incorporate it into the talk.
 +
 
 +
Let's help each other start off 2014 strong in implementing your AppSec goals/resolutions! We understand you may have an unique environment but there are common themes between disparate environments. We can learn from the those themes and you can take them to your place of development and apply them accordingly. This discussion will be appealing to developers, project/program managers, application security leads and security professionals.
 +
 
 +
""Bios"":
 +
We are going to kick-off the year in a panel format with experts in the industry from the DC area. The panel will include:
 +
 
 +
• Lee Aber, Director, Information Security at Opower
 +
• Kevin Greene, Software Assurance Program Manager at DHS S&T
 +
• Rich Ronston, Director, Security at Deltek
 +
• Jack Mannino, Chief Security Officer at nVisium & OWASP NoVA Lead [Moderator]
 +
 
 +
 
 +
'''July 2012 Meeting'''
 +
 
 +
'''Topic''': OWASP Top Ten Tools and Tactics
 +
 
 +
'''Abstract''': If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.
 +
 
 +
'''Bio''': Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).
 +
 
 +
'''8:15-9:15 Speaker''': Kevin Johnson
 +
 
 +
'''Topic''': Ninja Assessments: Stealth Security Testing for Organizations
 +
 
 +
'''Abstract''': Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.
 +
 
 +
'''Bio''': Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.
 +
 
 +
'''May 2012 Meeting'''
 +
 
 +
'''Speaker''': Rohit Sethi, Vice President, Product Development, SD Elements
 +
 
 +
'''Topic''': Is There An End to Testing Ourselves Secure?
 +
 
 +
'''Abstract''': Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process,  thereby either causing project delays or risk acceptance.
  
Our chapter is sponsored by [http://www.aspectsecurity.com Aspect Security].
+
This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.
  
== Participation ==
+
Points of discussion include:
  
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the DC-Maryland Chapter, send an email to [mailto:[email protected] Matt Fisher] or [mailto:[email protected] Andre Ludwig].
+
·        Is static analysis sufficient?
 +
·        Developer awareness training
 +
·        Threat modeling / architecture analysis
 +
·        Secure requirements
 +
·        Considerations for procured applications
  
Between meetings we keep the discussion going via mailing list. To join our chapter [http://lists.sourceforge.net/lists/listinfo/owasp-washington/ mailing list], visit our mailing list page. List membership is kept private.
+
'''Bio''': Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.
  
== Local News ==
+
Register for the meeting at http://owaspdc.eventbrite.com/
 +
 
 +
'''March 2012 Meeting'''
 +
 
 +
March 15th at 6:30-7:30pm at LivingSocial's [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] office location on the first floor at the @hungryacademy.<br>
 +
 
 +
Please RSVP for the event here: http://owaspdc.eventbrite.com/
 +
 
 +
'''Speaker''': Alissa Torres
 +
 
 +
'''Topic''': Application Footprinting
 +
 
 +
'''Abstract''': Application footprinting is a great skill for forensic examiners (and anyone interested in binary research) because it allows you to marry artifacts in the registry/file creation/time/date stamps with specific applications or user initiated events.  Eventually, during the course of an investigation, an examiner is going to run into a "new" problem - one that hasn't previously been experienced/researched by others in the field.  Application footprinting is a simple method that examines the interaction of a program with the operating system.  The process of footprinting will determine if the application was installed on the system being investigated, what trace evidence exists and how that can be mined.  This presentation will include a demo of Active Registry Monitor and its use in tracking changes made to the Windows Registry by an open source ssh client.
 +
 
 +
'''Bio''': Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.
 +
 
 +
'''December 2011 Meeting'''
 +
 
 +
'''The December 21st meeting was held at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.'''<br><br>
 +
 
 +
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br>
 +
 
 +
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages
 +
 
 +
* '''Ken Johnson''' and (maybe) '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''
 +
 
 +
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!
 +
 
 +
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.
 +
 
 +
'''About our Speakers'''
 +
 
 +
:'''Ken Johnson'''
 +
::Ken Johnson is a Senior Security Architect for LivingSocial.com responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty<br><br>
 +
 
 +
:'''Chris Gates'''
 +
::TBD<br>
 +
 
 +
::'''Abstract: Updates in wXf''' - Coming Soon<br>
 +
 
 +
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''
 +
<br>
 +
 
 +
'''Speakers'''<br>
 +
 
 +
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''
 +
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''
 +
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.
 +
 
 +
'''About our Speakers'''
 +
:'''John Steven'''
 +
 
 +
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
 +
 
 +
<br>
 +
 
 +
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?
 +
 
 +
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.
 +
 
 +
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.
 +
 
 +
<br>
 +
 
 +
:'''Krystal Moon'''
 +
 
 +
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.
 +
 
 +
:'''Quang Pham'''
 +
 
 +
:: Quang Pham is a Cyber Security Analyst at SRA International, INC.  At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program.  One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide.  Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.
 +
 
 +
<br>
 +
 
 +
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.
 +
 
 +
:::'''Secure Coding'''
 +
 
 +
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.
 +
 
 +
:::'''Architecture and Design Considerations for Secure Software'''
 +
 
 +
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.
 +
 
 +
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
 +
 
 +
<br>
 +
 
 +
'''August 2011 Meeting'''
 +
 
 +
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.
 +
 
 +
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.
 +
 
 +
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br>
 +
 
 +
<br>
 +
 
 +
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.
 +
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''
 +
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 +
 
 +
'''About our Speaker'''
 +
:'''Julian Cohen'''
 +
 
 +
::Julian is a security researcher from New York City.  When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques.  He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.
 +
 
 +
::Julian runs NYU Poly's world-renowned CSAW CTF competition.  In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.
 +
 
 +
:'''Abstract'''
 +
 
 +
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects.  This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable.  Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited.  An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.
 +
 
 +
<br>
 +
 
 +
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]
 +
 
 +
<br><br>
 +
 
 +
'''July 2011 Meeting'''
 +
 
 +
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')
 +
 
 +
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here]
 +
* Jack Mannino will speak on '''Building Secure Android Applications'''
 +
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 +
 
 +
'''NEW LOCATION'''  Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room
 +
 
 +
'''About our Speakers'''
 +
 
 +
:'''Jack Mannino'''
 +
 
 +
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
  
'''Meeting: March 23rd'''
+
:'''Abstract'''
  
March Meeting Announcement
+
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
  
Our next meeting is on Thursday March 23rd at 1800 hours in the offices of Aspect Security.
+
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
  
This is going to be a technical meeting focusing on AJAX Security.
+
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
  
In case you weren't aware, AJAX is a clever use of existing technologies to provide richer interfaces on the web
+
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.
(think Google Maps). It's growing in popularity and "buzz", so be sure to make this meeting and learn all you can about it.
 
  
If you have some AJAX science you'd like to drop on us, then email me directly at mfisher at spidynamics dot com
+
<br>
  
The Agenda:
+
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}
 
1. Opening, introductions
 
2. Presentation by Rick Pries: An introduction to AJAX
 
3. Overview and Review of the new OWASP AJAX Security Guide
 
4. BoF discussion on AJAX and AJAX security
 
5. Everything Else: Current Events, OWASP news, Industry News, Recent Hacks in the News, Closing, etc.
 
  
Food:
+
<br><br><br><br><br>
 
As usual, geek food will be provided. This usually means pizza and soda.
 
  
Getting there
+
'''March 2010 Meeting'''
  
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
+
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
 
From I-95:
 
 
* Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
 
* Take the Broken Land Parkway exit
 
* Turn left off the ramp onto Broken Land Parkway
 
* Turn left at the light onto Guilford Road (0.5 miles)
 
 
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
 
 
We're on the third floor in Suite 300
 
 
Unfortunatley being out in the far 'burbs there is very limited public transport.
 
 
If you need help getting to the meeting, try emailing the list at: [email protected] asking for a lift.
 
 
There are two MARC stations within a twenty minute drive, and the MTA contracted commuter busses drop off within 2 miles of the 
 
offices.
 
  
Wireless
+
* Jeff Ennis from Veracode will be presenting on Application Risk Management
+
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
I am please to announce that we may just have wireless access for the meeting. No promises, but if you're the type who likes to
+
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
look stuff up realtime then you may want to bring the laptop.
+
* Doug Wilson will update on plans for future meetings and upcoming events.
 
If we *are* lucky to enough to get wireless access, there will be a serious "no playing around" policy in place, and anyone
 
breaking it will be kick/banned for life, y'all hear ?
 
  
 +
'''About our Speakers'''
  
'''December Meeting Notes'''
+
'''Jeff Ennis'''
  
  [Note: there was no meeting in November due to the holiday crunch. We decided to hold just one meeting in December].
+
:Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology.  He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as  they dealt with an ever-changing threat landscape..   Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
  
Greetings from the Northern side of the Beltway. I wanted to send out a note to everyone letting them know how great the meeting
+
:'''Abstract'''
was last night. The turn out was the perfect size for some "fireside chats".... It was some of the most technical conversation
 
I've had in a long time that didn't involve an instant messenging client.
 
  
  First of all, Thanks again to the ever-generous Aspect Security whom provided not only meeting space, but pizza and a chaperone as 
+
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.
  well. I'm glad to say that Chuck was there too .. Chuck is one of our most highly technical meetings, and shows up every time, on
 
time.
 
  
For those of you who didn't make it, here's what we discussed. Note that I said *discussed*; not presentations. The smaller size of
+
'''Dan Philpott'''
this meeting really afforded some great technical conversation and the loose interactive format was spectacular. If you missed it ,
 
well then you missed out.
 
  
1. Susan Suskin gave us her thoughts on the AppSec conference for those you who missed the conference. Apparently the majority of
+
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.
the conference rocked, except for some lam3r presentation on web application worms (mine) .
 
 
2. NIST's SAMATE project. This is a government funded project that attempts to a) gain serious expertise in app sec to the point of  
 
being able to 2) define key performance capabilities of app sec tools, 3) define metrics for those capabilities, 4) create test
 
environments against those metrics, and then 5) evaluate and report on all app sec tools. Discussion of this spun off of the
 
discussion of the conference.
 
 
3. **The recent GMail hack**. This was really well done (props Andre ) . Instead of doing a *presentation* on it, shots from the 
 
original 'explanation' site was passed around and we all deciphered it together, making a true learning and discussion opportunity.
 
Unfortunately this also mitigated our ability to mock his lamer slides, but I secretly mocked his lamer xeroxing capabilities. I'm
 
just kidding of course: Andre xerox's like a champ. I think he's certified in it or something.
 
 
4. **A Tutorial Walk-Through of SQL Injection and Blind SQL Injection** along with *nasty evasive destructive SQL Injections*,
 
followed by the Web App Sec comedy hour. Those of you who missed the AppSec conference and also missed the meeting last night missed
 
all the humour. Plus, you'll never understand how astute Donald Rumsfeld is with input validation. [ If you  this far, then you get
 
an extra slice of pizza next meeting ]. My next presentation will be stone-cold serious, but equally lame. My presentations should
 
improve once I finish my PowerPoint certification study class.
 
 
5. ShmooCon ! The coolest conference you'll find in the area. Be there are be square. http://www.shmoocon.org/
 
If you are already registered for the conference and aren't staying at the Wardman, , then please consider booking a room - they
 
need this to lock in the hotel for next year. I'm local, and I have a room !
 
 
6. **AJAX** - what it is, what is isn't, who's using it, how it works, and the security implications of it. We all agreed that
 
none of us know enough about it and we're looking for someone with some real expertise to educate us on it. I for one am willing to
 
chip in some bucks for a serious education on it. If we all chipped in, we may be able to get someone to give us a couple hours of
 
tutorial on it. Thoughts ?
 
  
Next Meeting:
+
'''Chuck Willis'''
  
For our next gig, we're trying to get none other than a Special Agent from the Federal Bureau of Investigations to talk to us about 
+
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.
the real world legal and prosecutorial environment in relations to cyber intrusions. We will also discuss the latest and greatest
 
hacks, vulns and exploit techniques.
 
  
We'd like to see if there's a way to get internet access for the attendees as well. For instance, last night we really could have
+
'''December 2009 Meeting'''
used a Spanish L33t to English L33t Dictionary while deciphering the Gmail hack. It would be great for doing quick googles, demo'
 
etc. If there are any ideas on how we could secure some wireless that would not place us on the host's network, then please bring
 
it. Netstumbling the office doesn't count.
 
  
So now you know, and knowing's half the battle.
+
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 +
* We will be recapping and discussing AppSecDC and the OWASP Summit
 +
* We will discuss other recent events such as the DHS Software Assurance Forum Conference
 +
* We will be talking about the coming year and upcoming events
 +
* We will open up the floor for discussion of current events or concerns.
  
- Matt
+
'''Addition to Agenda'''
  
+
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
'''Tuesday October 25th OWASP Meeting Agenda'''
 
  
The next OWASP DC chapter meeting will be held Tuesday, October 25th at 6pm. The meeting will be held in Aspect Security's office
+
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.
in Columbia MD.
 
  
    Aspect Security, Inc.
+
'''September 2009 Meeting'''
    9175 Guilford Road, Suite 300
 
    Columbia, MD 21046-2565
 
    Main: 301-604-4882
 
    Fax: 443.583.0772
 
  
Directions: http://www.aspectsecurity.com/contact.html
+
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 +
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
 +
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.
  
Meeting Agenda
+
'''XAB -- The Abstract:'''
 
6:00pm – Initial Meeting kickoff
 
6:30pm – Special Guest Presentation (Steve Elky, see below for more information)
 
7:15pm – Pizza / General Discussion
 
7:30pm – Discussion on AppSecDC 2005 (Jeff Williams will be presenting)
 
8:15pm – Discussion on Myspace.com “worm”
 
  
Special Guest Presentation
+
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.
  
This week we have a special guest speaker Steve Elky. Steve will be discussing the incorporation of security and Certification and 
+
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.
Accreditation into the Software Development Life Cycle. A brief overview of the presentation is below.
 
 
Certification and accreditation (C&A) mandate
 
Certification
 
Accreditation
 
C&A and the Software Development Life Cycle (SDLC)
 
Initiation
 
Development/Acquisition
 
Implementation
 
Operations/Maintenance
 
Disposal
 
Key Roles
 
Independent Approach to C&A
 
Integrated Approach to C&A
 
  
About Steve Elky
+
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.
  
Steve Elky is the Technical Director for Information Security at Software Performance Systems, a software company specializing in 
+
'''About our speakers:'''
e-government solutions. Mr. Elky has his CISSP, CISM, ISSAP, ISSMP, MCSE, CNE, GCNT, CCNA and CCSA as well as a B.S. from the
 
University of Baltimore. Mr. Elky acts as a security advisor to various company clients as well as helping company developers
 
determine and meet security requirements. Mr. Elky is currently assisting the Library of Congress in the design and implementation
 
of their security program.
 
  
Discussion and review of AppSecDC 2005
+
'''Matthew Flick, Principal'''
 +
'''FYRM Associates'''
  
Jeff Williams will be reviewing and discussing the happenings of AppSecDC 2005 for those of us who were not able to attend the
+
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.
conference.
 
  
Discussion on Myspace.com “worm”
+
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.
  
If time permits we will be reviewing the recent myspace.com “worm”, both at a technical level as well as a higher level conceptual
+
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.
view including “what if” scenarios.
 
  
 +
'''Jeff Yestrumskas'''
 +
'''Sr. Manager InfoSec @ Cvent'''
  
'''Next Meeting - Tuesday, September 27 @6pm'''
+
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.
  
Everyone is welcome to join us at our monthly chapter meeting. It's held on the fourth Tuesday of each month at 6pm. If you have any
+
'''August 2009 Meeting'''
items you'd like others to talk about, or if you'd like to make a presentation, post your ideas to our [http://lists.sourceforge.net/lists/listinfo/owasp-washington/ mailing list] or send an
 
email to [mailto:[email protected] Ed Tracy].
 
  
OWASP DC-Maryland Chapter Meeting
+
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
+
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World
The Open Web Application Security Project, DC-Maryland Chapter holds meetings on the fourth Tuesday of each month.
+
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.
 +
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]
  
LOCATION:
+
About our speakers:
 +
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
  
[http://www.sourcefire.com/ SOURCEfire]
+
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
[http://maps.google.com/maps?q=9770+Patuxent+Woods+Drive,Columbia,+MD&ll=39.178528,-76.850980&spn=0.030334,0.056793&hl=en 9770 Patuxent Woods Drive]
 
[http://maps.google.com/maps?q=9770+Patuxent+Woods+Drive,Columbia,+MD&ll=39.178528,-76.850980&spn=0.030334,0.056793&hl=en Columbia, MD]
 
(Meeting may be in rear building, 9780.)
 
  
AGENDA:
+
:'''Vulnerability Management in an Application Security World'''
  
The agenda for this month's meeting is:
+
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 
    * Meet & Greet(6pm)
 
    * PIZZA
 
    * Group Presentation (7pm)
 
          o Jeff Williams presents the OWASP Guide 2.0
 
    * Top Ten feedback survey - Help us test the survey before it's used at the October OWASP conference.
 
  
See you there!
+
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
  
 +
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.
  
'''Meeting Notes - 7/19/05'''
+
'''April Meeting Debrief'''
  
At the July 19th meeting, the DC-Maryland chapter took on the topic of the "broken top-ten". We spent 2 and a half hours and
+
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.
digressed many times. Often getting lost in the weeds. We did have some useful ideas (I do apologize to the rest of the chapter as
 
these thoughts are largely influenced by my opinions -ed tracy).
 
  
After discussing the problems with the many uses of the top ten, we asked what does the industry need. The industry needs awareness
+
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.
and guidance. These are two different things. We will admit it has been great for awareness, aka marketing. And, a concern of
 
changing the top ten is given: a radical change in the top ten is likely to diminish its reputation and its effectiveness at raising
 
awareness.
 
  
Now back to guidance (the other thing the industry needs)...The top ten is being used for education, security review checklist,
+
We'd also like to thank:
design/implementation guide, etc. Well, the industry needs these things in very concise form. We should give them that. OWASP
 
should produce these (I know some of it's been produced al y). These shouldn't be top tens or marketed as top tens, as ten is not
 
going to cover everything and having ten top-tens is silly.
 
  
The key is to put a big disclaimer in The top ten that advises people not to use it for review checklist, design guide, etc. The 
+
* George Washington University and their great staff for the meeting space and A/V support
disclaimer should go on to point people in the right direction for guidance for
+
* Securicon and Mark Bristow for arranging refreshements.
each of those tasks. We believe the top ten should warn people that it's not fit for those other tasks. Otherwise, they think it is
 
and that creates "FUD."
 
  
 +
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!
  
'''Training Session Notes - 6/7/05'''
+
'''April 22nd 6:30 PM OWASP Meeting, Washington DC
  
We held a training session for web app security in early June. About 15 people trickled in at all hours.
+
This month we will be holding our meeting at The George Washington University in downtown DC.
  
Thanks Aspect Security, for providing installation CDs with WebGoat, WebScarab, and Paros.
+
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
  
As a group, we did some of the WebGoat exercises using the WebScarab application proxy.
+
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].
  
Thanks to Chuck for demonstrating bean scripting in WebScarab. It's used to automate testing.
+
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote>
  
  Thanks to Matt Fisher for demonstrating Spi Dynamics' WebInspect and its web proxy capabilities.
+
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote>
  
The session was held at:
+
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote>
 
  
    [http://www.sourcefire.com/ SOURCEfire]
+
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote>
    9770 Patuxent Woods Drive
 
    Columbia, MD
 
  
+
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.
'''Meeting Notes - 5/24/05'''
 
  
Thanks to Weilin Zhong for running this meeting.
+
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.
  
Weilin led a discussion about security for Web Services. As of mid-august, someone is still trying to sanitize the presentation she 
+
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]
gave so that it can be published here.
 
  
The meeting was held at:
+
''Note on Transportation and Parking''
  
    [http://www.sourcefire.com/ SOURCEfire]
+
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
    9770 Patuxent Woods Drive
 
    Columbia, MD
 
  
+
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
'''Meeting Notes - 4/26/05'''
 
  
Thanks to Bruce Potter for discussing a comparison of secure development on different operating systems.
+
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''
  
    * App Sec News
+
This month we will be holding our meeting at The George Washington University in downtown DC.
          o Sorry, this month's notes are lost.
 
  
The meeting was held at:
+
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
  
    [http://www.sourcefire.com/ SOURCEfire]
+
This month's agenda:
    9770 Patuxent Woods Drive
 
    Columbia, MD
 
  
+
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
'''Meeting Notes - 3/22/05'''
+
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
 +
* 7:45 - 8:00 Break
 +
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra
  
Welcome [mailto:ed.tracy@aspectsecurity.com Ed Tracy], our new chapter leader, and thanks again to Aspect for providing pizza!
+
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008
  
    * App Sec News
+
''Note on Transportation and Parking''
          o SHA-1 defrocked (http://www.financialcryptography.com/mt/archives/000355.html)
 
          o XSS Proxy tool described by Andre Ludwig (http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt)
 
                + Takes XSS vulnerability and exploits the hell out of it
 
                + Potential demonstration in the future
 
    * Ethics Discussion
 
          o Harvard applicants rejected for "hacking" application website (http://www.pcworld.com/news/article/0,aid,119938,00.asp)
 
                + Everyone was surprised at the many different opinions of culpability people had
 
          o Vulnerability Sharing Clubs like this one: http://www.immunitysec.com/services-sharing.shtml
 
    * Chapter Direction Discussion, Presentation Ideas
 
          o Are we advancing webappsec, teaching it, or both? Possible worksessions at future meetings to allow both to coexist
 
          o Inno Eroraha suggested cross-polinating with other focus groups in the DC area, ideas?
 
          o Andre Ludwig suggested a demo on the XSS Proxy tool, dates?
 
          o Matt Fisher suggested revisiting the Secure Model Architecture discussion, volunteers to get this started?
 
          o Matt Fisher suggested Absinthe and other SQL testing tools demonstration, dates?
 
          o Joe Bui suggested an outreach session held in DC to reach the government audience. Joe is checking for space availability
 
            at his office downtown.
 
          o Several people suggested having a Northern VA meeting. That was countered with the idea of an additional chapter. If
 
            someone in VA (or any other area near DC) would like to move one of our meetings to VA, please let me know. I think it's
 
            a good idea.
 
    * Penetration Testing Lab
 
          o Introduced the OWASP Penetration Testing Checklist (http://www.owasp.org/documentation/testing/application.html)
 
          o Introduced WebScarab (http://www.owasp.org/software/webscarab.html)
 
          o Introduced WebGoat (http://www.owasp.org/software/webgoat.html)
 
          o Gil Prine and Jeff Williams recommended the book, "Innocent Code" by Sverre H. Huseby
 
  
This meeting was held at:
+
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
  
    [http://www.aspectsecurity.com/contact.html Aspect Security]
+
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
    9175 Guilford Rd
 
    Columbia, MD
 
  
+
'''December Meeting Debrief'''
'''Meeting Notes - 2/22/05'''
 
  
No meeting this month due to chapter organizers being out of town. See you next month!
+
I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday.  I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly
 +
demonstrated some of the great up and coming tools that are available to the community.  As promised, I uploaded the PDF of the presentationto the Wiki, but the slides don't do the commentary justice.  It can be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].
  
+
We also took care of some housekeeping stuff:
'''Meeting Notes - 1/25/05'''
 
  
This month's meeting saw our biggest turnout yet, with over 20 attendees. Thanks to everyone for coming, thanks to
+
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
[mailto:dave.wichers@owasp.org Dave Wichers]
+
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  for his presentation, and thanks to Aspect for providing pizza, soda and snacks!
+
* Rex talked for a few minutes about the Portugal Summit.  The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]
 +
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].
  
  WebScarab and WebGoat presentation by Dave Wichers
+
To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.
  
    * [http://www2.owasp.org/index.php/OWASP_WebScarab_Project WebScarab], written by [mailto:[email protected] Rogan Dawes]
+
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
      and donated to OWASP, has been around about five years in one form or another (please let Rogan know if you use it!)
 
    * Current version at http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
 
    * Includes a man-in-the-middle proxy, HTTP request/response editor, filtering traffic logger, session ID analyzer, passive web
 
      spider, automatic response modifier, encoder/decoder/hasher, and more; it’s also scriptable with Java Beanshell
 
    * Dave took us through several of the [http://www2.owasp.org/index.php/OWASP_WebGoat_Project WebGoat] lessons using WebScarab to
 
      manipulate traffic and explained common vulnerabilities like cross-site scripting
 
    * We were showed how to use WebScarab to intercept browser requests and change it before sending it to the server
 
    * Discussed some authentication and session management methods such as HTTP Basic Auth (bad), Tomcat JSESSIONID (good), using SSL
 
      only for the login (bad), etc.
 
    * WebScarab will point out which pages on your site set cookies
 
    * It will show you both raw and formatted HTTP requests and responses and show you a hex editor-like view of binary data such as
 
      images
 
  
General Discussion
+
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
  
    * Discussed the dilemma of accidentally finding a vulnerability on a public site...do you disclose or not? Will they think you’re
+
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
      a cracker or a saint...or just ignore you?
 
    * Discussed what other tools people use, commercial and free: Appscan, WebInspect, Sleuth, Nstealth, Achilles, Odysseus, Paros,
 
      etc. Some limited use of both the commercial and free scanning tools was identified.
 
    * Discussed web application "firewalls". No one in the group indicated they were using any of these products.
 
    * DISA has a checklist for application security (called the Application Security Checklist) at:
 
      http://csrc.nist.gov/pcig/cig.html, and NIST is working on the FISMA guidelines, but until there’s a federal regulation on
 
      secure development it will be hard to convince them to (pay to) do it
 
    * Discussed the conundrum of developers having no motivation to think security; mentioned putting security requirements in the
 
      business/software requirements; mentioned the OWASP secure software contract annex
 
    (http://www.owasp.org/docroot/owasp/misc/contract.doc)
 
    * Discussed the new application code scanning tools, Ounce Lab's Prexis, Fortfy, and Klocwork were all mentioned. Some members
 
      had received briefings on them but no significant use was discussed.
 
          o Since the meeting, some articles about these tools have been identified and are included here for reference:
 
                + Here's a recent (Jan 2005) article about Fortify: http://www.infoworld.com/article/05/01/14/03TCfortify_1.html
 
                + Here's an older (Jul 2004) article about a previous release of Ounce's Prexis:
 
                  http://www.sdtimes.com/news/106/story12.htm
 
                + A summary of mostly open source application security code analysis tools is available here:
 
                  http://sardonix.org/Auditing_Resources.html
 
                + A general article about the emerging web app security capabilities: "Emerging web app security services and  
 
                  products bring source code vulnerabilities to light"
 
                  http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art975,00.html
 
                + And in the same Information Security mag article is a summary chart of various product and service vendors in the
 
                  space: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art978,00.html
 
                + The Vendors' pages for these products are at:
 
                      http://www.ouncelabs.com/prexis_engine.html
 
                      http://www.fortifysoftware.com/products/suite/
 
                      http://www.klocwork.com/products/inspect.asp
 
  
Note: OWASP is not endorsing these products in any way. This information is simply provided for the interest of the members of
+
This month's agenda is as follows:
the DC Chapter.
 
  
This meeting was held at:
+
* Presentation by Kevin Johnson, InGuardians
 +
* Round table Discussion of Portugal Summit
 +
* Open discussion
  
    [http://www.aspectsecurity.com/contact.html Aspect Security]
+
Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.
    9175 Guilford Rd
 
    Columbia, MD
 
  
+
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.
'''Meeting Notes - 12/28/04'''
 
  
No meeting this month due to the holidays. Happy holidays!
+
You can RSVP to the event on Upcoming.org:
  
+
http://upcoming.yahoo.com/event/1334575
'''Meeting Notes - 11/23/04'''
 
  
This month's meeting was again held in the first floor conference room at [http://www.aspectsecurity.com Aspect Security], the
+
'''October 15th 6:30pm OWASP Meeting, Washington DC'''
chapter's sponsor. A couple "regulars" couldn't make it due to the holiday but it was still well-attended.
 
  
IMPORTANT: Future meetings will continue to be on the fourth Tuesday of the month--so the next meeting will be on December 28,
+
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
again at 6pm. As long as Aspect can reserve the conference room for us, we'll continue meeting there.
 
  
Minutes: A slightly smaller group allowed us to keep discussion on topic more easily this month.
+
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
  
    * GEMS Demo: Demonstration of the insecurity of Diebold's General Election Management System (GEMS). See
+
This month's agenda is as follows:
      http://www.equalccw.com/dieboldtestnotes.html for more details.
 
    * DropMyRights: Discussed use of dropmyrights.exe when you're running as administrator but want to run your email and browser       
 
      with lower privileges. Just create a shortcut that contains "C:\Program Files\dropmyrights\DropMyRights.exe" "C:\Program
 
      Files\Internet Explorer\iexplore.exe" and use that instead of directly invoking the browser. See
 
      http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp for the
 
      tool and a short article.
 
    * OWASP Secure Software Contract Annex: Jeff Williams prepared a draft of this document as a starting point for helping people
 
      write software development contracts that include security. We discussed how this contract emphasizes the lifecycle steps,
 
      whereas the Ounce Labs version emphasizes specific vulnerabilities. We also discussed the fact that the contract includes
 
      "requirements for the requirements" instead of trying to cover everything. The document needs more work on the "teeth," i.e.
 
      how to ensure that each element is specific enough to audit. Also, it needs some more work on including risk-related
 
      activities before the requirements. The plan is to incorporate a few comments, get approval from the OWASP-Leaders, send it
 
      out to [http://www.securityfocus.com/archive/107 WebAppSec] and stand up an OWASP project to maintain the document.
 
          o The OWASP Mission: The contract discussion led into questions about OWASP's constituency and how we are serving them. One
 
            view is that OWASP serves developers and the contract effort is not exactly on target. The other view we discussed is that
 
            OWASP is focused on the problem of insecure software, and it should do whatever is necessary to raise awareness of the
 
            issue. We also discussed OWASP's role as a platform for the application security community. Is OWASP an "if you build it,
 
            they will come" model?
 
          o Open Letter and Requirements Project: We discussed the Open Letter and how it looks like the various product vendors will
 
            be working with OWASP to produce a strong list of requirements for all of web application security.
 
    * Reference Architectures: We discussed the concept for this project again, and examined Microsoft's Improving Web Application
 
      Security
 
      (http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/threatcounter.asp). While an impressive
 
      effort, it seems like there is a need for platform independent documentation that covers the threat, requirements, and
 
      architecture levels, but doesn't go into the source code level.
 
    * J2EE Filters: Jeff gave a bit of background on how J2EE Filters works. Anil pointed out that this is very similar to how HTTP
 
      Handlers work in the .NET environment. We then discussed the types of things that J2EE Filters can do. Jeff showed how to write
 
      filters that implement a request rate throttle, an input sanitizer, a certificate validator, an SSL-only verifier, and several
 
      other functions. Some ideas raised by the group included a logging filter and a filter to verify that responses with set-cookie
 
      headers should only be sent over SSL.
 
  
This meeting was held at:
+
* Adam Vincent, Hacking and Hardening Web Services
 +
* Doug Wilson, Report on AppSec NYC 2008
 +
* Open discussion
  
    [http://www.aspectsecurity.com/contact.html Aspect Security]
+
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.
    9175 Guilford Rd
 
    Columbia, MD
 
  
+
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
'''Meeting Notes - 10/28/04'''
 
  
This month we decided to meet in a conference room at [http://www.aspectsecurity.com Aspect Security], the chapter's sponsor. Aspect
+
= History =
was generous enough to provide sodas, chips, and the most delicious brownies anyone ever tasted. Thanks!
 
  
IMPORTANT: Future meetings will be on the fourth Tuesday of the month--so the next meeting will be on November 23, again at 6pm. As
+
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.
long as Aspect can reserve the conference room for us, we'll meet there again.
 
  
Minutes: We tried to keep the discussion on three main topics: whitepaper topics, a concept for a "webappsec dashboard," and J2EE
+
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.
filters.
 
  
    * Whitepaper topics: Jeff has a list of subjects he'd really like to  whitepapers about, but doesn't have time to write about
+
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.
      himself. If anyone would like to volunteer to write a whitepaper to be posted on the OWASP site, [mailto:[email protected]
 
      email Jeff]. Some of the topics that sparked a lot of discussion and interest were:
 
          o The asymmetric/broken market for security: Consumers can't determine if software is secure so they won't pay more for the
 
            claim of security; producers can't charge more for more secure software so they don't make it more secure. How do we get
 
            vendors to write secure code? How about for libraries--are the circumstances different? A related but possibly separate
 
            topic is, who has the burden of proof--the developer to prove software's secure, or the consumer to prove it's insecure?
 
          o Secure web app architectures: How do you draw security or secure web app architectures? We're not so good at telling
 
            customers where to do security things in the data flow and n-tier diagrams. Can we do this with UML? Data flow diagrams?
 
            How about a "reference architecture" for authentication as an example? This may turn out to be a Chapter project.
 
          o How to decide what to fix first: Is there a quick and easy way for a company with a large number of web apps to determine
 
            where they should begin with assessments? If they don't know about any vulnerabilities in any sites, which do they look at
 
            first? Maybe we can come up with a short questionnaire for each web app to risk rank them relatively, in the style of The
 
            [http://www.joelonsoftware.com/articles/fog0000000043.html Joel Test]. This may also become a Chapter project.
 
          o Mechanisms, vulnerabilities, and threat models: How do people threat-model attacks? Do they even do it? Could we create a
 
            standard suite of threat models for any generic web app?
 
          o Webappsec requirements: Are people putting security requirements into their business requirements for projects involving
 
            web apps? Can we create a standard list of security requirements people can paste in to their project docs?
 
    * Webappsec dashboard: The concern is that CISOs have no way to get their arms around the state of web app security in their
 
      environment. They need a sort of dashboard where they can see metrics and statistics about all their web apps all in one place.
 
      Something like this may have to be a tool/software, and OWASP really isn't in the business of writing tools/software.
 
    * J2EE filters: We didn't have time to discuss this but attendees were interested so it will be on the agenda for the next meeting.
 
      Jeff quickly demonstrated a tool to analyze JAR files and show what calls they make.
 
    * General discussion: More and more Local Chapters are springing up--what kinds of things can chapters contribute? What should
 
      they be expected to contribute?
 
  
This meeting was held at:
+
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.
  
    [http://www.aspectsecurity.com/contact.html Aspect Security]
 
    9175 Guilford Rd
 
    Columbia, MD
 
  
+
<headertabs />
'''Meeting Notes - 9/30/04'''
 
  
A good time was had by all.
+
<br>
  
IMPORTANT: Future meetings will be on the last Thursday of the month--so the next meeting will be on October 28, again at 6pm. If
+
<br>
anyone has a good suggestion about where to meet, please send it to the
 
[http://lists.sourceforge.net/lists/listinfo/owasp-washington/list].
 
  
Minutes: None recorded.
+
<br>
  
This meeting was held at:
+
<paypal>Washington DC</paypal>
  
    [http://www.rockyrun.com/locations.htm Rocky Run Tap & Grill]
+
<br>
    6480 Dobbin Center Way
 
    Columbia, MD
 
  
+
<br>
'''Meeting Notes - 8/25/04'''
 
  
Thanks to everyone who showed up last night to the first OWASP Washington Local Chapter meeting. It was great to finally put some
+
September Meeting:<br>
faces to names, meet some local application security folks, and the Guinness was nice too!
 
  
IMPORTANT: Meetings will be on the last Wednesday of the month--so the next meeting will be on September 29, again at 6pm. This time
+
<br>
we're going to meet in Columbia, MD at a place to be determined soon. If anyone has a good suggestion about where to meet, please
 
send it to the list.
 
  
Minutes: We had some wide-ranging discussions that touched on scanning, brute-force attacks, validation, web app firewalls, and new
+
Facility Sponsor: [http://www.uberoffices.com UberOffices]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
projects for OWASP.
 
  
    * Brute force attacks: We discussed some schemes for handling brute force attacks on websites, some techniques for making a site
+
<br>
      hard to scan (and why some scanners don't care), and we discussed the combinatorics of generating productive password lists. We
 
      also got a demo of Matt Fisher's password generation utility.
 
    * OWASP and awareness: We had a long discussion about things that OWASP can do to help raise awareness about web application
 
      security. Some promising approaches included making some webinars and offering them on the website, and providing more practical
 
      stuff (tools, libraries, templates) and not focusing on the academic.
 
    * OWASP image: We discussed some ways that OWASP could build on the "platform" provided by the new portal. We could move the
 
      webappsec list to OWASP from sourceforge, maybe create some different lists (newbie, advanced, SQL injection, etc.). We could
 
      create some discussion forums.
 
    * Metrics: We talked about the new metrics project and what kinds of metrics would be the most useful to the appsec community.
 
    * Promoting adoption: There were some interesting ideas about things OWASP could do to advance the adoption of good appsec
 
      practices. One was to get some buy-in from the FBI (a la SANS) or another high-power agency. Matt Chalmers and Chris Burton are
 
      going to pursue a few leads to see if there's interest.
 
  
This meeting was held at:
+
<br>
  
    [http://www.mayorgaimports.com/html/retail-silverspring.php Mayorga Cafe]
 
    8040 Georgia Av
 
    Silver Spring, MD
 
  
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 +
 +
[[Category:Washington, DC]]
 +
 +
[[Category:Maryland]]

Latest revision as of 19:43, 26 September 2018


OWASP Washington DC

Welcome to the Washington DC chapter homepage. The chapter leaders are Emily Verwee, Andrew Weidenhamer and Bryan Batty.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Local News

Next Meeting - The Groovy Landscape & Grails Security 6:30PM Thursday, July 10th UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC

Everyone is welcome to join us at our chapter meetings.


Welcome to the Home Page of the Washington DC OWASP Chapter.

  • You can follow us on Twitter as @OWASPDC
  • Our recent meetings are documented on the News & Meetings tab.


Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.

Next Meeting - The Groovy Landscape & Grails Security

The next meeting will be on Thursday, July 10, 2014 from 6:30 PM to 8:30 PM (EDT) at

Location: UberOffices - 1200 18th Street, NW, Suite 700, Washington, DC

Please RSVP for the event here: http://www.meetup.com/OWASPDC/

Presentation Overview: 1st Talk - "The Groovy Landscape"

This talk is geared to those who are new to Groovy and the goal is to put the Groovy language in is proper context. We will try to answer the following questions:

What are the properties of the language? When and why was it developed? Who is using it and who maintains it? Where can I use it? How do I get started or contribute to development?

2nd Talk - "Grails Security"

Grails is a framework developed for Groovy in the vein of Rails for Ruby. It provides a lot of features for web app security, but does it do enough? What might you need to implement yourself, and what might be provided? This presentation will discuss tips on securing Grails applications, including tools that the framework provides by default for security. It'll also discuss several shortcomings in the current toolset, and how you can avoid them.

Speaker: David James - David is a software developer and consultant who helps enterprise clients deliver software that makes a business impact. He has been developing applications on the JVM for fifteen years and leverages Groovy on a daily basis. David is involved in the Arlington coworking community and is the founder of the DC Groovy user group.

Cyrus Malekpour - Cyrus (@cmalekpour) is a software developer at nVisium, working on web app development and security. He's currently an undergraduate student at the University of Virginia, where he's studying computer science with an emphasis on security and backend development. Most of his passion is in designing and developing secure applications, but he also has an interest in breaking into things. In his free time, he likes to read, watch movies, and cycle.

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the Mailing List.

You can follow us on Twitter as @OWASPDC <twitter>23609877</twitter>

Archives from earlier meetings than contained on this page can be found in the Washington_DC Archives

May 2014 Meeting

Presentation Overview: As mobile dating applications grow in popularity, so does our interest in the security posture behind them. There are a vast number of mobile dating applications available for use today by anyone with a smart phone. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly.

We will cover popular features such as location-based services, analytics, sharing of information, in-app purchasing, and any other features we discover to be interesting. We will analyze the type of personal data being stored within these applications, communication channels used to transmit information, hardware interaction with the application, and interaction with other applications on the device. We will answer the big questions posed by those who use these apps or want to use these apps: Are these applications disclosing sensitive information? How private is the communication between me and another user? How can I be sure my data is being protected?

This talk will feature highlights from popular, obscure, and scary dating applications to answer a simple question: “Can you find love on the Internet without having your personal data exposed?”

Speaker: Jack Mannino is an Application Security expert with over a decade of experience building, breaking, and securing into complex systems. Jack is Co-Founder and CEO of nVisium, while also leading research and development initiatives. With experience developing in Java, Objective-C, and C#, he performs risk assessments and penetration tests for Fortune 500 companies and government agencies. Jack also founded and leads the OWASP Mobile Application Security Project, which is a global initiative to build secure development standards for mobile. He is an active Android security researcher with a keen interest in large-scale security analysis.

Abdullah Munawar is an Application Security consultant at nVisium who specializes in mobile application testing and ripping apart new things. With over 7 years of experience, Abdullah previously worked on the security teams at financial and aviation organizations. Abdullah attempts humor on a daily basis and succeeds most of the time, every time.

March 2014 Meeting

Presentation Overview: How is identity and access management (IAM) implemented in your in-house applications? Do the developers who implement it have IAM expertise? Does every team implement their own IAM? Enterprise framework development teams with IAM expertise can address the problem by creating APIs that enable developers without IAM expertise to implement the IAM correctly. This presentation explains what an enterprise identity API is, why it's worthwhile to create one and how it might be done.

Speaker: Adam Migus (@amigus) - Adam currently works as an IT architect helping his clients devise and execute technology strategy. Prior to that he was a Principal Security Architect at E*TRADE Financial where he created APIs as a means to improve software security. Adam believes that software quality is critical to software security and that many application security concerns can be addressed through enterprise APIs. He's also held positions at McAfee and Symantec. He earned his B.Sc. in Computer Science from Memorial University of Newfoundland, where he also started his career in earnest as a network administrator.

February 2014 Meeting

Presentation Overview: Bojan Simic will provide a short background into Bitcoin and how it works. He will then provide some of his firsthand experiences with the state of Bitcoin businesses with regard to security and how many individuals are (insecurely) handling their Bitcoins. These experiences will demonstrate some "hacks" that pertain to the OWASP Top 10 as well as other types of vulnerabilities. The talk will include an overview of simple security steps that individuals and businesses who are working with Bitcoin should take to in order to mitigate the chance of hackers stealing Bitcoin and Personally Identifiable Information (PII) from them and their customers.

Speaker: Bojan is a security engineer in the industry as well as the founder and main contributor to the Bitcoin Security Project (https://bitcoinsecurityproject.org). The project is a free and open source resource that is dedicated to spreading security awareness across the Bitcoin community by helping individual bitcoin holders and businesses follow security best practices. These practices ensure better security of individual holders' investments and Bitcoin business customers.

Professionally, Bojan has performed hundreds of penetration tests, threat modeling, and security code reviews of different applications. These reviews identify vulnerabilities associated with software, the network software, and infrastructure they are deployed on. He also performs research in the field of web application security and teaches developer training on web application best practices, architecture, and security.

January 2014 Meeting

Summary: This talk will include how organizations build AppSec programs, how to gain Executive and organizational-wide acceptance to your AppSec program and the current trends within the application security industry.

If you have a specific question you would like discussed please just send Rinaldi or Mike McCabe an email and they will try to incorporate it into the talk.

Let's help each other start off 2014 strong in implementing your AppSec goals/resolutions! We understand you may have an unique environment but there are common themes between disparate environments. We can learn from the those themes and you can take them to your place of development and apply them accordingly. This discussion will be appealing to developers, project/program managers, application security leads and security professionals.

""Bios"": We are going to kick-off the year in a panel format with experts in the industry from the DC area. The panel will include:

• Lee Aber, Director, Information Security at Opower • Kevin Greene, Software Assurance Program Manager at DHS S&T • Rich Ronston, Director, Security at Deltek • Jack Mannino, Chief Security Officer at nVisium & OWASP NoVA Lead [Moderator]


July 2012 Meeting

Topic: OWASP Top Ten Tools and Tactics

Abstract: If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.

Bio: Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).

8:15-9:15 Speaker: Kevin Johnson

Topic: Ninja Assessments: Stealth Security Testing for Organizations

Abstract: Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.

Bio: Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.

May 2012 Meeting

Speaker: Rohit Sethi, Vice President, Product Development, SD Elements

Topic: Is There An End to Testing Ourselves Secure?

Abstract: Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance.

This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.

Points of discussion include:

· Is static analysis sufficient? · Developer awareness training · Threat modeling / architecture analysis · Secure requirements · Considerations for procured applications

Bio: Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

Register for the meeting at http://owaspdc.eventbrite.com/

March 2012 Meeting

March 15th at 6:30-7:30pm at LivingSocial's 1445 New York Ave NW office location on the first floor at the @hungryacademy.

Please RSVP for the event here: http://owaspdc.eventbrite.com/

Speaker: Alissa Torres

Topic: Application Footprinting

Abstract: Application footprinting is a great skill for forensic examiners (and anyone interested in binary research) because it allows you to marry artifacts in the registry/file creation/time/date stamps with specific applications or user initiated events. Eventually, during the course of an investigation, an examiner is going to run into a "new" problem - one that hasn't previously been experienced/researched by others in the field. Application footprinting is a simple method that examines the interaction of a program with the operating system. The process of footprinting will determine if the application was installed on the system being investigated, what trace evidence exists and how that can be mined. This presentation will include a demo of Active Registry Monitor and its use in tracking changes made to the Windows Registry by an open source ssh client.

Bio: Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.

December 2011 Meeting

The December 21st meeting was held at 1445 New York Ave NW (Living Social) in Washington DC.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.

  • Please Register for the meeting. This helps us get a head count for food and beverages
  • Ken Johnson and (maybe) Chris Gates will speak on the New Features in the Web Exploitation Framework (wXf)
  • Doug Wilson and Mark Bristow will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an Important Announcement for 2012. Don't miss it!

Location Info Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.

About our Speakers

Ken Johnson
Ken Johnson is a Senior Security Architect for LivingSocial.com responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty

Chris Gates
TBD
Abstract: Updates in wXf - Coming Soon

Our September Meeting was September 29th 6:30pm at 2445 M Street NW Washington, DC 20037

Speakers

  • John Steven will speak on Assessing your Assessment Practice
  • Krystal Moon and Quang Pham will speak on DHS Software Assurance Pocket Guides
  • Doug Wilson and Mark Bristow will update on current and upcoming events.

About our Speakers

John Steven
John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.


Abstract: Assessing your Assessment Practice - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?
In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.
Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.


Krystal Moon
Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.
Quang Pham
Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.


Abstract: Software Assurance Pocket Guides - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.
Secure Coding
Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.
Architecture and Design Considerations for Secure Software
The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.

Facility Sponsor: Anonymous      Refreshment Sponsor: BlueCanopySponsoLogo.jpg       


August 2011 Meeting

Our next meeting is August 24th at 1445 New York Ave NW (Living Social) in Washington DC.

Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.


  • Please REGISTER HERE if you are going to attend so we have an accurate head count.
  • Julian Cohen will speak on Cross-Origin Resource Inclusion in HTML5
  • Doug Wilson & Mark Bristow will update on current and upcoming events.

About our Speaker

Julian Cohen
Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.
Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.
Abstract
Cross-Origin Resource Inclusion in HTML5 - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.


Facility Sponsor: Living Social      Refreshment Sponsor: Living Social  Stratum Security



July 2011 Meeting

Our next meeting is July 21st 6:00pm 2445 M Street NW Washington, DC 20037 (*NOTE NEW LOCATION*)

  • Please Register Here
  • Jack Mannino will speak on Building Secure Android Applications
  • Doug Wilson & Mark Bristow will update on current and upcoming events.

NEW LOCATION Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room

About our Speakers

Jack Mannino
Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
Abstract
Building Secure Android Applications - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.


Facility Sponsor: Anonymous      Refreshment Sponsor: Securicon.gif       






March 2010 Meeting

  • Jeff Ennis from Veracode will be presenting on Application Risk Management
  • Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
  • Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
  • Doug Wilson will update on plans for future meetings and upcoming events.

About our Speakers

Jeff Ennis

Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
Abstract
Application Risk Management - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.

Dan Philpott

Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.

Chuck Willis

Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.

December 2009 Meeting

  • Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
  • We will be recapping and discussing AppSecDC and the OWASP Summit
  • We will discuss other recent events such as the DHS Software Assurance Forum Conference
  • We will be talking about the coming year and upcoming events
  • We will open up the floor for discussion of current events or concerns.

Addition to Agenda

Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.

September 2009 Meeting

XAB -- The Abstract:

Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.

XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.

During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.

About our speakers:

Matthew Flick, Principal FYRM Associates

Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.

Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.

Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.

Jeff Yestrumskas Sr. Manager InfoSec @ Cvent

Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.

August 2009 Meeting

About our speakers:

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
Vulnerability Management in an Application Security World
This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
Michael Smith is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.

April Meeting Debrief

We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.

Our big announcement of the meeting was that we are kicking off the Call for Papers for AppSec DC 2009, slated for November 10-13 at the DC Convention Center.

We'd also like to thank:

  • George Washington University and their great staff for the meeting space and A/V support
  • Securicon and Mark Bristow for arranging refreshements.

We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our mailing list!

April 22nd 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at 2201 G St. NW Washington, DC 20037

This month, we will have Jon Rose speaking about Flash Remoting and Deblaze.

Deblaze - A remote method enumeration tool for flex servers.
Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.
This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.
The latest version can be found at deblaze-tool.appspot.com

Doug Wilson will also discuss the recent OWASP Software Assurance Day that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.

We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.

You can RSVP for the event on Upcoming.org

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

February 5th 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting is in Duques Hall, Room 553, which is located at 2201 G St. NW Washington, DC 20037

This month's agenda:

  • 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
  • 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
  • 7:45 - 8:00 Break
  • 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra

You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

December Meeting Debrief

I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday. I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly demonstrated some of the great up and coming tools that are available to the community. As promised, I uploaded the PDF of the presentationto the Wiki, but the slides don't do the commentary justice. It can be found here.

We also took care of some housekeeping stuff:

  • We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
  • The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  • Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
  • Our next chapter meeting will be held in Feburary, topics TBD but we are soliciting speakers.

To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.

December 10th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Presentation by Kevin Johnson, InGuardians
  • Round table Discussion of Portugal Summit
  • Open discussion

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.

Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.

You can RSVP to the event on Upcoming.org:

http://upcoming.yahoo.com/event/1334575

October 15th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:

  • Adam Vincent, Hacking and Hardening Web Services
  • Doug Wilson, Report on AppSec NYC 2008
  • Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.

The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware.

In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.

In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.

The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.





<paypal>Washington DC</paypal>



September Meeting:


Facility Sponsor: UberOffices      Refreshment Sponsor: Still Open!



Retrieved from "https://wiki.owasp.org/index.php?title=Washington_DC&oldid=243746"