San Antonio

San Antonio OWASP Chapter: August 19, 2009 Topic: Web Application Firewalls (WAF’s) Presenter: Matt Burriola & Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process.

Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&M University-Corpus Christi.

Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

San Antonio OWASP Chapter: June 17, 2009 Topic: What is Cross Site Scripting And Why Is It bad? Presenter: David Lister, Security Architect for Rackspace IT Hosting

Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks.

Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

Local News
San Antonio OWASP Chapter: January 2009 Meeting

Topic: "Vulnerability Management in an Application Security World."

Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm

Location:

San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Presenter Bio:

Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

Previous News

The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio

The slide deck from OWASP San Antonio September 2007 meeting available online here: .

The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly

The slide deck from OWASP San Antonio September 2006 meeting available online here: .

The slide deck from OWASP San Antonio August 2006 meeting available online here: .

The slide deck from OWASP San Antonio June 2006 meeting available online here:.

The slide deck from OWASP San Antonio May 2006 meeting available online here:.

The slide deck from OWASP San Antonio September 2004 meeting available online here: .