Houston

Welcome to OWASP Houston
The Houston Chapter will focus around Web Application Security issues with discussions on application layer vulnerabilties, penetration testing, and secure coding practices within the numerous development languages. Our chapter will meet on the second (2nd) Wednesday of each month and participation in OWASP Houston is free and open to all. Please subscribe to the mailing list for meeting announcements. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the Houston Chapter, send an email to [mailto:owasp_at_icrew.org David Nester].

Next Chapter Meeting :: TBD -- 2008
''' NOTICE: There will be no Houston chapter meeting for the month of December. '''

Meeting Calendar
 November 7, 2007: Black Box versus White Box: Different App Testing Strategies John Dickson, CISSP Denim Group  Overview: Competing approaches for application security testing have pros and cons. This presentation will look at a number of security assessment strategies-white box testing, black box testing, static analysis and dynamic analysis- discussing the benefits and drawbacks of each. Presenter Bio: John's technical background includes over 15 years of experience with intrusion detection systems, telephony security and application security in the commercial and DoD arenas. He is a founder of the Alamo Chapter of ISSA, a principal at Denim Group, and a founder and chairman of the San Antonio Technology Accelerator Initiative (SATAI). He regularly speaks for security groups including ISSA and ISACA and at national security conferences including the Annual Computer Security Institute (CSI) Conference and ConSec 2006.



Past Presentations

 * June 5, 2007 :: Web 2.0 Download''' Presentation by Dan Cornell of the Denim Group.  With the integration of new technologies into web application development, there are more security dangers than ever before to be found in the application layer.  This session discusses the landscape of web application security, new technologies being used in developing web applications and web services and the implications these have on system security.  Technical vulnerabilities in web applications such as SQL injection and cross-site scripting (XSS) will be discussed alongside logical, business-level issues.  The evolution of these flaws will be tracked as traditional web applications have expanded to include Web 2.0, AJAX and web services capabilities.  The goal of the presentation is to educate developers, project managers and quality assurance personnel about the risks inherent in developing web applications and provide meaningful recommendations for addressing those risks during the software development lifecycle. Sprajax Download.


 * August 8, 2007: Atrysk Security Presentation Download (go to BLOG -> DOWNLOADS)  Today, hackers are manipulating Web applications inside the corporate firewall, enabling them to access and sabotage corporate and customer data as we’ve seen with very highly publicized Web hacking events in 2005 such as MySpace.com, Paris Hilton’s T-mobile phone compromise, and the perl.santy worm. Given even a tiny hole in a company’s Web application code, an experienced intruder armed with only a Web browser and a little determination can break into most Web sites. The reality is traditional Internet security is not enough because these methods do not ensure the security of your entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers). With the ever-increasing threat of cyber attacks, today’s Web environment has made application security an essential element in the application development lifecycle. We will explain and demonstrate with common Web attacks such as SQL Injection, Cross-Site Scripting (XSS), AJAX [in]Security and Session Hijacking why applications are increasingly at risk of malicious attack because of security defects and how easily they are exploited.


 * September 12, 2007: Fortify Software Bytecode instrumentation allows a user to inject additional code into an application’s binary. This technique has traditionally been used to measure the runtime performance and test coverage of Web applications. However, bytecode instrumentation has other promising uses, including software security. As the overall security space evolves from the outside-in approach we saw with Web Application Firewalls in the 1990s, bytecode instrumentation provides the perfect opportunity to embed security into the application itself. This talk will provide an overview of bytecode instrumentation, demonstrate how the technology works, and show some concrete ways it can be used to inject security features into an application after it has been developed.


 * October 10, 2007 :: Top 10 Website Attack Techniques Download'''  During this presentation, Jeremiah Grossman will draw upon his extensive website security experience to discuss the most creative, useful and interesting Web attack techniques discovered in 2007, focusing on the top ten. This year has been significant for website hacking, with issues ranging from Cross-Site Scripting (XSS) and Cross-Site Request Forgery, to confusion about the impact of AJAX and Javascript vulnerabilities on Web 2.0 sites. Mr. Grossman will address these issues, including debunking the myth of AJAX insecurity.


 * November 7, 2007: Black Box versus White Box: Different App Testing Strategies  Presentation by John Dickson of the Denim Group.  Competing approaches for application security testing have pros and cons. This presentation will look at a number of security assessment strategies-white box testing, black box testing, static analysis and dynamic analysis- discussing the benefits and drawbacks of each.