Denver

Next Meeting
'''The next meeting of the DENVER OWASP chapter will be held Wednesday 16 April 2008 at Raytheon Polar Services, 7400 S. Tucson Way, Centennial, CO 80112. [gMaps Link]

Topic: Ryan Barnett: Virtual Patching for Web Applications with ModSecurity
Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes. This presentation will outline exactly when and where Virtual Patching is appropriate and will show the proper steps for their creation and testing.

Agenda:

6-6:30 Dinner (at RPSC; provided by Breach Security.

6:30 - 6:40 Chapter business

6:40 - 8:00 Presentation and Q&A

Following the meeting we will have informal discussions over beverages at a local pub TBD.

Ryan C. Barnett
Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache” was published by Addison/Wesley in 2006.

Questions, Comments
Questions can be directed to
 * [mailto:dcampbell@owasp.org David Campbell, Denver OWASP] +1 415 377 7379
 * [mailto:eduprey@gmail.com Eric Duprey, Denver OWASP]

Future Meetings
April 16 2008

Past Meetings
February 2008

June 2007

April 2007

February 2007

January 2007

November 2006

Chapter Planning Pages
Front Range Web Application Security Summit Planning