NYNJMetro

APPSEC NJ FORMAL MEET-UP

Meeting Sponsors: -- -

When: February 24th 6pm-9pm

Where: 70 Hudson, Jersey City, NJ - RSVP

WELCOME & OPENING REMARKS, MAHI DONTAMSETTI, BARCLAYS CAPITAL, 6:00 - 6:15 PM

TOPIC: ADVANCED PERSISTENT THREATS 6:15 - 6:50 PM

SPEAKER: VIJAY AKASAPU BIO, MANDIANT

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for theAPT attacks target the Defense Industrial Base, critical infrastructure, financial, manufacturing and research industries. The attacks used by the APT intruders are not very different from any other intruder: the primary difference is their perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus, and they escalate their tools and techniques as a victim's capability to respond improves.

During this "State of the Hack" session, ViJay will present case studies that describe, in technical detail, the most recent incidents MANDIANT has responded to. The talk covers how intruders gain access; what they do once inside a victim network; and how an organization can remediate these attacks

TOPIC: CLOUD COMPUTING AND SECURITY 6:55 - 7:30 PM

SPEAKER: ANDREW BECHERER BIO, iSEC Partners

This session will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. Andrew will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment.

TOPIC: THREAT MODELING 7:35 - 8:10 PM

SPEAKER: JOHN STEVEN BIO, CIGITAL

Threat Modeling - How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management. Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.

TOPIC: LEVERAGING EXISTING APPSEC TOOLSETS 8:15 - 8:50 PM

SPEAKER: PHIL AMES BIO

Discover ways to leverage the tools you currently use to find potential vulnerabilities in web applications as early as during an initial application walk through. This talk will cover the current state of passive web application analysis as well as discuss how to set up a framework for your own testing needs

APPSEC INFORMAL MEET-UP - 2/25/2010

This is a informal gathering to meet others in information security and have a pint ;) all are welcome

When: 2/25/2010 7:00pm - 10:00pm

Where: Mustang Harry's 352 7 Avenue, New York, NY 10001-5012

Cash Bar

---

APPSEC INFORMAL MEET-UP - 2/26/2010

This is a informal gathering to meet others in information security and collaborate ;) all are welcome

When: 2/26/2010 9:00am - 12:00pm

Where: IHOP in Parsippany at 792 US Highway 46 West, Parsippany
$15.00 Donation all-you-can-eat

APPSEC INFORMAL MEET-UP - 3/29/2010

This is a informal gathering to meet others in information security and have a pint ;) all are welcome

When: 2/29/2010 7:00pm - 10:00pm

Where: Mustang Harry's 352 7 Avenue, New York, NY 10001-5012

Cash Bar

---

APPSEC INFORMAL MEET-UP - 3/30/2010

This is a informal gathering to meet others in information security and collaborate ;) all are welcome

When: 3/30/2010 9:00am - 12:00pm

Where: IHOP in Parsippany at 792 US Highway 46 West, Parsippany
$15.00 Donation all-you-can-eat

APPSEC NYC FORMAL MEET-UP

Sponsors:

When: April 14th 6pm-9pm

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda

Topic:
Pentesting Adobe Flex Applications - Abstract TBD

Speaker: Marcin Wielgoszewski - BIO Gotham Digital Science

Ruby for Pentesters - Getting up to speed quickly on projects where you're down deep reversing protocols or applications can be challenging at best and catastrophic at worst. In this talk we highlight our use of Ruby to solve the problems we're faced with every day. We use Ruby because it's easy to leverage its flexibility and power for everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications. Having a great set of tools available to meet your needs might be the difference between a successful result for your customer and updating your resume with the details of your former employer.

If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented "bag-o-tricks" approach. Then we dive into our real-world experiences using Ruby to quickly get up and running on a wide range of tasks. Real discussion of real problem solving on topics like:

      • Ripping apart static binaries and bending them to your will
      • Getting up close and personal with proprietary file formats
      • Becoming the puppet-master of both native and Java applications at runtime
      • Exposing the most intimate parts of exotic network services like JRMI and Web services
      • Trimming the time you spend decoding proprietary protocols and cutting directly to fuzzing them

As if all that wasn't enough, we'll show you how to make Ruby mash-ups of the stuff you already love. Make the tools you already rely on new again by getting them to work together, harder and smarter. When you're asked to get twice as much done in half the time, smile confidently knowing you have a secret weapon and the job will get done.

Speaker: David Goldsmith - BIO Matasano

---

NEW JERSEY MEETING - TBD

Venue Sponsor: <your logo here>
Meeting Sponsor TBD

When: TBD

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda

HANDS-ON TRAINING
Location: TBD
Date: TBD
Fee: TBD (OWASP Members will get reduced rates)


Do you want to teach a class? Do you want to host the training at your facility? Get in touch with us!

CLASS #1 Introduction to Web Application Security

This workshop provides an overview of the fundamental principles of Web application security. It presents students with an understanding of how Web applications work, how vulnerabilities manifest in them, how to find and exploit those vulnerabilities, and solutions for protecting Web applications.

CLASS #2 Secure Coding for Java Developers

This two-day course is designed to show Web application developers the dangers of insecure coding practices, specific ways their code can be exploited, and how to write code to avoid introducing vulnerabilities

CLASS #3 .NET

The two-day course is designed to implement security as a culture amongst the developers and will also include two main components: a review of the secure coding guidelines for .Net as well as .Net specific features like anti-XSS library

CLASS #4 PHP

The two-day course is designed to help you be a better developer with PHP and have a security focus.

NYC - KPMG

Sponsors:

When: TBD

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda

Title: OWASP O2 Platform - Open Platform for automating application security knowledge and workflows

Abstract: In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

Presenter

Bio: Dinis Cruz is the Chief OWASP Evangelist and a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development. Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications. Dinis is the current [Owasp .Net Project] and [OWASP Autumn of Code] project's leader and the main developer of several of OWASP .Net tools ([SAM'SHE], [ANBS], [SiteGenerator], Owasp Report Generator, [Asp.Net Reflector]). Dinis is a active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG .

---

NEW JERSEY MEETING - TBD

Venue Sponsor: <your logo here>
Meeting Sponsor TBD

When: TBD

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda Title: OWASP O2 Platform - Open Platform for automating application security knowledge and workflows

Abstract: In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

Presenter

Bio: Dinis Cruz is the Chief OWASP Evangelist and a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development. Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications. Dinis is the current [Owasp .Net Project] and [OWASP Autumn of Code] project's leader and the main developer of several of OWASP .Net tools ([SAM'SHE], [ANBS], [SiteGenerator], Owasp Report Generator, [Asp.Net Reflector]). Dinis is a active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG .

NYC - KPMG

Sponsors:

When: TBD

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda

---

NEW JERSEY MEETING - TBD

Venue Sponsor: <your logo here>
Meeting Sponsor TBD

When: TBD

Where: RSVP REQUIRED [[Image:|Register.gif]]

Time Allocated / Speaker / Agenda

Support of the OWASP NY/NJ Metro Chapter is an excellent way to meet new people and stay-in-touch with the NYC Metro information security community.
With over 1300 members on the chapter mailing list and meetings that are always to capacity we strive to connect the dots. You can get involved many ways with our chapter including but not limited to:

(1) Speaking at a upcoming meeting on a OWASP project or vendor agnostic research topic.
(2) The OWASP Foundation, NY/NJ Metro chapter is a 100% volunteer effort. We focus on implementation of efforts defined by the OWASP Global Committees help implement these efforts locally.
(3) Host a meeting - show your company and others that you support OWASP and application security. Refreshments will be provided by the co-sponsors OR you can have exclusive sponsorship if your company would like to provide space+refreshments the choice is yours.
(4) Host a full day or multi-day training session. We simply require tables, chairs, projector and a screen. In exchange for this we will barter seats in the class so that the sponsoring organization can directly benefit for hosting.
(5) Meeting Refreshment Sponsor - Be recognized as a industry supporter with a $500.00 donation in exchange for a 6ft table at a formal meeting to exhibit your product/service.

We encourage each sponsor to conduct a raffle of some type and you can use the below DONATE NOW button and make payment by credit card.

funds to OWASP earmarked for NYNJMetro.

(6) Annual Chapter Sponsor - When you become an annual supporter of OWASP Foundation for $5000.00 40% of the funds raised get allocated to the local chapter (home chapter). For more detailed information on this membership type see membership or inquire with one of the chapter leaders for assistance.

Mailing Address

Chapter Mailing Address is:

OWASP NY/NJ Metro
759 Bloomfield Ave, Suite 172
West Caldwell, New Jersey 07006
973-795-1046 Tel | 973-795-1047

• President Tom Brennan 973-795-1046 x112
• Vice President Steve Antoniewicz 212-279-6565
• Secretary Douglas Shin 917-267-2399
  
  Active Chapter Members
  Peter Dean 201-960-8265
  Blake Cornell 212-202-6704
  Arkadiy Goykhberg
  William Gebhardt
  Mahi Dontamsetti 908-675-2375
  Kuai Hinojosa
  Dan Guido
  Marcin Wielgoszewski
  Pete Perfetti 973-576-0530
  Brian Peister 201-240-9819
  Tom Ryan 732-207-7916
  

Industry Advisors:
Education

• Polytechnic University: Nasir Memon 732-241-6128
• New Jersey Institute of Technology: Osama Eljabiri 973-981-1049
• Pace University: Chienting Lin, Ph.D 646-344-2639

Law Enforcement

• FBI Cybercrimes SA Chris Stangl 917-662-9849

Below are a list of ACTIVE projects assigned to individual active members and teams within the local chapter. If you would like to help out on ANY of these efforts, contact them directly to get involved 

---

Q1 2010 OWASP Newsletter

Special Project: Educational Outreach
Summary: Drive education awareness of OWASP with interns with industry. Templates to be created to be used by all industry to work with universities
Plan: <insert plan>
Next Milestone: TBD
Participants: Arkadiy Goykhberg, Mahi Dontamsetti, William Gebhardt, Kuai Hinjosa

Special Project: Membership Drive
Summary: Increase local chapter members individuals and corporate supporters
Plan: <insert>
Next Milestone: TBD
Project Participants: Peter Dean

Special Project:
Summary:
Next Milestone:
Project Participants:

Special Project:
Summary:
Next Milestone:
Project Participants:

Special Project:
Summary:
Next Milestone:
Project Participants: