This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Washington DC

From OWASP
Revision as of 17:29, 12 May 2006 by WikiSysop (talk | contribs) (Local News)

Jump to: navigation, search

Welcome to the OWASP Washington, DC-Maryland Local Chapter

The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware. In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters with common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

Chapter meetings are held several times a year, typically in the offices of our sponsor. Please subscribe to the mailing list for meeting announcements.

Our chapter is sponsored by Aspect Security.

Participation

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the DC-Maryland Chapter, send an email to Matt Fisher or Andre Ludwig.

Between meetings we keep the discussion going via mailing list. To join our chapter mailing list, visit our mailing list page. List membership is kept private.

Local News

Meeting: March 23rd

Our next meeting is on Thursday March 23rd at 1800 hours in the offices of Aspect Security.

This is going to be a technical meeting focusing on AJAX Security.

In case you weren't aware, AJAX is a clever use of existing technologies to provide richer interfaces on the web (think Google Maps). It's growing in popularity and "buzz", so be sure to make this meeting and learn all you can about it.

If you have some AJAX science you'd like to drop on us, then email me directly at mfisher at spidynamics dot com

The Agenda:

  • Opening, introductions
  • Presentation by Rick Pries: An introduction to AJAX
  • Overview and Review of the new OWASP AJAX Security Guide
  • BoF discussion on AJAX and AJAX security
  • Everything Else: Current Events, OWASP news, Industry News, Recent Hacks in the News, Closing, etc.

Food:

As usual, geek food will be provided. This usually means pizza and soda.

Getting there:

Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:

From I-95:

  • Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
  • Take the Broken Land Parkway exit
  • Turn left off the ramp onto Broken Land Parkway
  • Turn left at the light onto Guilford Road (0.5 miles)


After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]

We're on the third floor in Suite 300


Unfortunatley being out in the far 'burbs there is very limited public transport. If you need help getting to the meeting, try emailing the list at: [email protected] asking for a lift. There are two MARC stations within a twenty minute drive, and the MTA contracted commuter busses drop off within 2 miles of the offices.

Wireless

I am please to announce that we may just have wireless access for the meeting. No promises, but if you're the type who likes to look stuff up realtime then you may want to bring the laptop.

If we *are* lucky to enough to get wireless access, there will be a serious "no playing around" policy in place, and anyone breaking it will be kick/banned for life, y'all hear ?


December Meeting Notes

[Note: there was no meeting in November due to the holiday crunch. We decided to hold just one meeting in December].

Greetings from the Northern side of the Beltway. I wanted to send out a note to everyone letting them know how great the meeting was last night. The turn out was the perfect size for some "fireside chats".... It was some of the most technical conversation I've had in a long time that didn't involve an instant messenging client.

First of all, Thanks again to the ever-generous Aspect Security whom provided not only meeting space, but pizza and a chaperone as well. I'm glad to say that Chuck was there too .. Chuck is one of our most highly technical meetings, and shows up every time, on time.

For those of you who didn't make it, here's what we discussed. Note that I said *discussed*; not presentations. The smaller size of this meeting really afforded some great technical conversation and the loose interactive format was spectacular. If you missed it , well then you missed out.

1. Susan Suskin gave us her thoughts on the AppSec conference for those you who missed the conference. Apparently the majority of the conference rocked, except for some lam3r presentation on web application worms (mine) .

2. NIST's SAMATE project. This is a government funded project that attempts to a) gain serious expertise in app sec to the point of being able to 2) define key performance capabilities of app sec tools, 3) define metrics for those capabilities, 4) create test environments against those metrics, and then 5) evaluate and report on all app sec tools. Discussion of this spun off of the discussion of the conference.

3. **The recent GMail hack**. This was really well done (props Andre ) . Instead of doing a *presentation* on it, shots from the original 'explanation' site was passed around and we all deciphered it together, making a true learning and discussion opportunity. Unfortunately this also mitigated our ability to mock his lamer slides, but I secretly mocked his lamer xeroxing capabilities. I'm just kidding of course: Andre xerox's like a champ. I think he's certified in it or something.

4. **A Tutorial Walk-Through of SQL Injection and Blind SQL Injection** along with *nasty evasive destructive SQL Injections*, followed by the Web App Sec comedy hour. Those of you who missed the AppSec conference and also missed the meeting last night missed all the humour. Plus, you'll never understand how astute Donald Rumsfeld is with input validation. [ If you read this far, then you get an extra slice of pizza next meeting ]. My next presentation will be stone-cold serious, but equally lame. My presentations should improve once I finish my PowerPoint certification study class.

5. ShmooCon ! The coolest conference you'll find in the area. Be there are be square. http://www.shmoocon.org/ If you are already registered for the conference and aren't staying at the Wardman, , then please consider booking a room - they need this to lock in the hotel for next year. I'm local, and I have a room !

6. **AJAX** - what it is, what is isn't, who's using it, how it works, and the security implications of it. We all agreed that none of us know enough about it and we're looking for someone with some real expertise to educate us on it. I for one am willing to chip in some bucks for a serious education on it. If we all chipped in, we may be able to get someone to give us a couple hours of tutorial on it. Thoughts ?


Next Meeting:

For our next gig, we're trying to get none other than a Special Agent from the Federal Bureau of Investigations to talk to us about the real world legal and prosecutorial environment in relations to cyber intrusions. We will also discuss the latest and greatest hacks, vulns and exploit techniques.

We'd like to see if there's a way to get internet access for the attendees as well. For instance, last night we really could have used a Spanish L33t to English L33t Dictionary while deciphering the Gmail hack. It would be great for doing quick googles, demo's etc. If there are any ideas on how we could secure some wireless that would not place us on the host's network, then please bring it. Netstumbling the office doesn't count.

So now you know, and knowing's half the battle.

- Matt


Tuesday October 25th OWASP Meeting Agenda

The next OWASP DC chapter meeting will be held Tuesday, October 25th at 6pm. The meeting will be held in Aspect Security's office in Columbia MD.


   Aspect Security, Inc.
   9175 Guilford Road, Suite 300
   Columbia, MD 21046-2565
   Main: 301-604-4882
   Fax: 443.583.0772


Directions: http://www.aspectsecurity.com/contact.html

Meeting Agenda

6:00pm – Initial Meeting kickoff 6:30pm – Special Guest Presentation (Steve Elky, see below for more information) 7:15pm – Pizza / General Discussion 7:30pm – Discussion on AppSecDC 2005 (Jeff Williams will be presenting) 8:15pm – Discussion on Myspace.com “worm”

Special Guest Presentation

This week we have a special guest speaker Steve Elky. Steve will be discussing the incorporation of security and Certification and Accreditation into the Software Development Life Cycle. A brief overview of the presentation is below.

Certification and accreditation (C&A) mandate Certification Accreditation C&A and the Software Development Life Cycle (SDLC) Initiation Development/Acquisition Implementation Operations/Maintenance Disposal Key Roles Independent Approach to C&A Integrated Approach to C&A

About Steve Elky

Steve Elky is the Technical Director for Information Security at Software Performance Systems, a software company specializing in e-government solutions. Mr. Elky has his CISSP, CISM, ISSAP, ISSMP, MCSE, CNE, GCNT, CCNA and CCSA as well as a B.S. from the University of Baltimore. Mr. Elky acts as a security advisor to various company clients as well as helping company developers determine and meet security requirements. Mr. Elky is currently assisting the Library of Congress in the design and implementation of their security program.

Discussion and review of AppSecDC 2005

Jeff Williams will be reviewing and discussing the happenings of AppSecDC 2005 for those of us who were not able to attend the conference.

Discussion on Myspace.com “worm”

If time permits we will be reviewing the recent myspace.com “worm”, both at a technical level as well as a higher level conceptual view including “what if” scenarios.