Los Angeles Previous Presentations 2009, 2010

= Previous Presentations =

May 20th, 2009
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road. Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!
 * Top Ten Web Hacking Techniques of 2008: "What's possible, not probable" 

April 15th, 2009
For a long time, the impact of XSS vulnerabilities has been grossly underestimated. Recent compromises, such as the pro-Hillary defacement of Barack Obama's website, and a Viral XSS in Twitter demonstrated the impact of XSS vulnerabilities to the masses.
 * Cross Site Scripting, Exploits and Defenses

During this presentation, David Campbell will demonstrate exactly how effective XSS vulns can be, and show you what you can do to protect yourself and your sites.

This presentation was originally delivered to OWASP Colorado in May of 2008, and has been updated for this session.

David Campbell is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. DC is presently chapter leader of OWASP Denver and is Principal Consultant at Electric Alchemy.

March 12th, 2009
This month will be joining forces with ISSA to create the biggest netowork event for security professionals in Los Angeles for this year. Agenda Panelists Dinner Fees: Thanks to David Lam and Stan Stahl for agreeing to have OWASP joining this ISSA LA event!
 * NETWORK SECURITY DINNER WITH ISSA - CISO'S Security Dashboard Panel!!
 * 5:30 p.m., Networking and tours of the antivirus facility
 * 6:30 p.m., Dinner
 * 7:30 p.m., CISO Panel
 * Robert J. Brown, CISSP, CISO WestCorp Credit Union
 * Steve Haydostian, CISSP, Former CISO, Healthnet
 * David Lam, CISSP, CISO, Stephen S. Wise
 * Edward G. Pagett II, CISSP, CISO, Lender Processing Services, Inc.
 * Mike O. Villegas, CISA, CISSP, Director of Information Security, Newegg.com
 * ISSA-LA members & OWASP members - Pre-Register and Pay online: $25
 * ISSA-LA members & OWASP members - Pay at the door: $30
 * Non-members - Pre-Register and Pay online: $30
 * Non-members - Pay at the door: $35

February 18th 2009
Cloud Computing and Security The Cloud Computing and Software as a Service models are driving many companies to build innovative, scalable and cost effective alternatives to the traditional IT computing model. Even with the potential cost and scalability benefits of cloud computing, its use by more traditional enterprises has been retarded by the concerns of their professional security and audit staffs. In our experience these concerns are legitimate, and although surveys have shown that security is the #1 factor preventing adoption of cloud computing, there has been very little reliable discussion of the technical security risks inherent in the model and how engineers, sys-admins and architects can deal with these risks. In this session, we will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. We will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment. Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, SD Best Practices, Microsoft BlueHat and OWASP App Sec. Alex is a contributing author to "Hacking Exposed: Web 2.0" and an author of the upcoming book "Mobile Application Security", both from McGraw-Hill. He holds a BSEE from the University of California, Berkeley.

January 28th 2009
Building Security into the Test Organization The common approach to detecting web security issues is still the regular application of a post-release pen-test or tool based scan. These last minute examinations rarely live up to broader organizational goals; they can be difficult to repeat, measure, or optimize over time. Most of all they're expensive: they find bugs late in the lifecycle. This talk recommends moving security testing responsibility within the test team itself. The approach discussed will work with-or-without the existence of explicit security requirements. See how security testing has been applied at other organizations and how it might be customized for yours. Ben Walther firmly believes testers have a wonderfully devious mindset, and has been promoting the idea of "security testing" at Cigital's clients, at OWASP events, and to any friends and relatives who will listen. To this end, with the aid of O'Reilly media, Ben Walther and Paco Hope recently published a book entitled the "Web Security Testing Cookbook."

December 10th 2008
The MySpace Worm The most virulent worm in the history of the series of tubes known as the Internet. One of the most highly accessed websites ever [see comScore]. One of the most ostentatious hackers alive. Over one million victims. Less than 24 hours. Fueled only by Chipotle burritos. The MySpace Worm. Samy will be recapping the story of the development, release and eventual future of the MySpace worm. The 24 hours that led up to over one million friends. The eventual downfall of the MySpace site for several hours. The non-malicious intent and humorous progression of the worm. The t-shirts. The copycats. The behind-the-scenes story of the Secret Service raid at Samy's home and office. The demise of Samy's legal use of computers, community service, restitution, high-risk offender probation, and rehabilitation. And where Samy is today.

Samy Kamkar, software engineer and self-proclaimed playboy, is a meddler in the security and software realms. He is currently the Director of Engineering and co-founder of Fonality, Inc., an IP PBX startup located in Culver City. Previously, Samy led the development of all core top-level domain name server software and systems for Global Domains International (.ws). Prior to that, Samy worked with Penn State University developing psychometric personality assessment software with attention to artificial intelligence and bioinformatics. When not strapped behind the Matrix, Samy can be found performing parkour (free running), practicing urban escape artist maneuvers, or is found getting involved in local community service projects. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in the areas of network security, reverse engineering, and network gaming, and continues his focus in staying out of jail.

November 19th 2008
A new web attack vector: Script Fragmentation

This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.

This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.

Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.

Stephan Chenette is a Senior Security Researcher who helps lead Websense Security Labs working on malcode detection techniques. Mr. Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security.

October 29th 2008
Entitlements Management: Security and policies for SOA using XML appliances

Loosely coupled Web Services can be insecure as, by their very nature, are exposed to application consumers. Security built into XML appliances alleviates the developer with the burden of coding security and policies into their application, freeing the developer to concentrate on conding business processes. This evenings meeting will discuss SOA security challenges and introduce the Layer7 XML appliance that allows for dynamic policies to be configured on the fly using an intuitive user interface. Jonathan Gershater’s career started at 3Com, managing servers and networks. His initial foray into Enterprise Software began in 1999 at enCommerce, which was later acquired by Entrust. He worked at Sun Microsystems from 2005 to 2008 architecting and deploying identity solutions for customers using Sun Java System Identity products. He recently joined Layer 7 Technologies as a senior solution architect. He can be reached at jgershater@layer7tech.com.

September 17th 2008
The web hacking incident database (WHID) 2007 Report is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

By providing answers to questions such as:


 * The drivers behind Web hacking.
 * The technology hackers use.
 * The types of organizations attacked most often.
 * The common outcomes

The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale.

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

August 19th 2008
"Don't Write Your Own Security Code" – Application security is arguably the most difficult IT challenge facing organizations today. There are over 600 different categories of vulnerabilities to avoid and they are all tricky. Most of these problems are related to the design, implementation, and use of a relatively small set of security controls. To solve this problem for developers, Jeff created the OWASP ESAPI project – a clean intuitive toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including the Top Ten, WebGoat, Stinger, Secure Software Contract Annex, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law.