Cincinnati

Welcome to the Cincinnati U.S.A. OWASP Local Chapter. The chapter lead is Andy Willingham. The OWASP chapter meetings are free and open to anyone interested in information security, risk management, data protection and application security. Chapter meetings are usually held monthly. Please consult the calendar for the date of the upcoming meeting. If you have never attended a meeting before and you are interested to attend one in the future, please join the mailing list. The mailing list is also used for sharing application security knowledge among the local community members. You can also review the email archives to see what local folks have been talking about.

If you are interested in presenting at one of the chapter meetings please send an abstract and bio to the [mailto:andywillingham@gmail.com chapter chair (Andy Willingham)]. Prior to participating, please review the Chapter Rules.

2013 Verizon Data Breach Incident Report (VDBIR)
Citi 9997 Carver Rd   Blue Ash, OH 45242
 * When: June 18, 2013 12:00 PM to 1:30 PM (ET)
 * Location
 * Register by RSVP here: http://cincyowaspjune2013.eventbrite.com/
 * Who:  Allison Schubert, Andy Willingham and Blaine Wilson of Citigroup


 * Abstract: The topic of the meeting will be a discussion of the 2013 Verizon Data Breach Incident Report (VDBIR). Allison, Andy, and Blaine will be discussing the report and how we see it playing out in the lives of those of us who are tasked with protecting our companies systems and applications.

2013 Meeting Calendar

 * June 18th - Allison Schubert, Andy Willingham and Blaine Wilson of Citigroup on the "2013 Verizon Data Breach Incident Report (VDBIR)"

= 2012 Presentations =

Is There An End to Testing Ourselves Secure?

 * Who:  Rohit Sethi, Vice President, Product Development, SD Elements


 * Abstract:
 * Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to vulnerabilities discovered late in the development process, thereby either cause project delays or risk acceptance. Neither option is particularly appealing.


 * This talk is a an open discussion with the local chapter about if there are scalable, measurable approaches that actually work in the real world to address security early into the SDLC, with consideration for how agile development impacts effectiveness. Points of discussion include:
 * Is static analysis sufficient?
 * Developer awareness training
 * Threat modeling / architecture analysis
 * Secure requirements
 * Considerations for procured applications


 * Speaker Bio: Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

Meeting Sponsor SD Elements

The Unfortunate Reality of Insecure Libraries

 * Who:  Jeff Williams CEO & Co-Founder, Aspect Security


 * Abstract: Today, 80% of the code in applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. In partnership with Sonatype, our researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business.


 * Speaker Bio: As a pioneer in the software development and security field, Jeff Williams is one of the world's foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law.

WebScarab Tutorial and Demonstration

 * Who:  Blaine Wilson, Technical Security Officer, Citigroup


 * Abstract: Join us for our August meeting. This month Blaine Wilson will entertain and educate us with a tutorial and demonstration of how to use WebScarab to test and protect your web sites and apps. We will also get a quick Black Hat/DefCon recap from Allison Shubert.


 * Speaker Bio: Blaine is a technical security officer for Citigroup and has several years experience as a application security guru and as a programmer so he is uniquely qualified to share his experiences and knowledge with us.

Addressing Threats to the Nation's Cybersecurity

 * Who:  Intelligence Analyst Anne Hanko of the FBI

Security is Dead. Love Live Rugged DevOps: IT at Ludicrous Speed

 * Who:  Joshua Corman of Akamai Technologies


 * Abstract: Cloud IT velocity is breathtaking: while most IT struggle with monthly releases, agile IT businesses routinely conjure thousands of AWS servers, performing over 10 deploys per day. This agility delights the business and terrifies security. DevOps aligns the former adversaries of Dev and Ops. Security needs to enable ludicrous speed or be left behind. We make a case for Rugged DevOps as an answer.


 * Speaker Bio: JoshuaCorman.jpg Joshua Corman is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience in security. Most recently he served as Research Director for Enterprise Security at The 451 Group following his time as Principal Security Strategist for IBM Internet Security Systems. Mr. Corman’s research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives. His research and education efforts won him the title of Top Influencer of IT by NetworkWold magazine in 2009. Mr. Corman is a candid and highly-coveted speaker with engagements at leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS. As a staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, and co-founded Rugged Software – a value-based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman received his bachelor’s degree in philosophy, graduating Phi Beta Kappa and summa cum laude, from the University of New Hampshire. He resides with his wife and two daughters in New Hampshire.  Corman can be found on twitter @joshcorman and on his blog at http://blog.cognitivedissidents.com/

Meeting Sponsor

Pragmatic Cloud Security

 * Who:  David Mortman of enStratus


 * Abstract: Cloud security is more then just hype. I'll do a quick overview of the reality of cloud computing versus the hype and then take things a step further and teach how one can pragmatically deploy to the cloud in away that takes security, privacy and operational concerns into account without hindering the business. It’s not as hard as it sounds, it just requires leveraging the right people, process and technology and I’ll show you how.

Meeting Sponsor https://www.owasp.org/images/e/e4/Modis.jpg

Top Ten Web Defenses

 * Who:  Jim Manico from WhiteHat Security


 * Abstract: We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.


 * Speaker Bio: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.

Meeting Sponsor https://www.owasp.org/images/4/4d/Whitehat.gif

The Danger of the Security ASS-umption

 * Who:  Michael Farnum, Security Advocate for Accuvant


 * Abstract: Many enterprise technical security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered. This is often due to risk ASS-umptions that are made by security staff / management, and these ASS-umptions often cause failures in findings. Come join a discussion on the breakdown of a technical security assessment, explore the essential attack vectors, and debate the depth to which the assessment should go.


 * Speaker Bio: Michael is the Security Advocate for Accuvant. Michael has over 17 years experience in IT and security, specializing in security infrastructure design and information security management. A skilled communicator, Michael is a well known security blogger and podcaster. Michael has spoken on various security topics at several conferences and events across the United States. He holds several security and technology certifications, including the ever-controversial CISSP. Prior to joining Accuvant, Michael was the Information Security Manager at The Menninger Clinic in Houston, TX. Before that, Michael performed random acts of security lunacy at companies all over Houston, TX.

Meeting Sponsor https://www.owasp.org/images/5/5e/Accuvant.png

How To Do Mobile Application Assessments

 * Who:  Jeremy Allen CTO of The Intrepidus Group


 * Abstract: This talk will focus on mobile application assessment techniques. The assessment techniques will focus on how to test applications for the OWASP Mobile Top 10 issues. Mitigation techniques for both Android and iOS will be discussed. Mallory, Intrepidus Group’s Man in The Middle tool designed to test mobile devices and applications, will be demonstrated throughout the presentation. Additionally, usage of other open source tools will be demonstrated. Both iOS and Android will be discussed.


 * Speaker Bio: Jeremy Allen is the Chief Technology Officer with the Intrepidus Group. Jeremy is a regular speaker at popular security conferences such as BlackHat, SOURCE and OWASP AppSec. He is currently the lead on the development of the SANS �-Y΄Secure Mobile Application Development: iOS App Security‘ course. He has conducted numerous application assessments against iOS applications.

Meeting Sponsor https://www.owasp.org/images/7/70/150-22.png

Mobile Application Security

 * Who:  John Steven and Jason Rouse
 * Abstract: Mobile devices are on your network and they are out to get you. Are you ready?
 * Speaker Bios: John and Jason both work for Cigital.


 * John Steven, Internal CTO


 * John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularly at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter.


 * Jason Rouse, Principal Consultant


 * Jason has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. His work has helped clients to identify the biggest risks in their mobile applications, for example after reviewing a mobile payment system which used SMS messages to alert the user to opportunities in the market, errors were found in the handset and back-end that could lead to denial of service on both the handsets and the back-end servers. The mobile environment’s mix of custom hardware, software, and architectures can make finding, verifying, and remediating these types of issues exceptionally difficult, showing the unique security threats present in mobile environments. As a trusted advisor, Jason has led standards efforts, chairing the FSTC Mobile Payment Security workgroup to identify and document technology-based opportunities for banks in the mobile arena. The project aims to define standards for technology and interoperability that give all mobile phone users a seamless, secure, and easy-to-use payment option for everyday banking.

= 2011 Presentations =

The Alphabet Soup of Security Certifications

 * Who:  Allison Shubert


 * Abstract: Certifications are a part of our life whether we like it or not. What are your choices? Are any of them worth the time and effort it takes to get them and then to maintain them? It's a jungle out there and luckily we have a guide to help us sort it all out. Allison will help us sort out the mess that we call Alphabet Soup and help us understand whether or not certifications are worth it for you.
 * Speaker Bio: Allison Shubert has over 11 years of experience in IT concentrating on security and risk management. she is CISSP and CSSLP certified and also serves as a subject matter expert for ISC2 for the CISSP and CSSLP certifications.

Debugging The Attack

 * Who:  Blaine Wilson


 * Abstract: Please join us as Blaine Wilson attaches a debugger to some of the OWASP Top Ten Web Application Vulnerabilities. No technical experience is required.  Blaine will explain each vulnerability in plain English and then he will launch an attack so you watch the vulnerability be exploited step by step.


 * Speaker Bio: Blaine has 18 years experience in database design, web application architecture and information systems security. He currently works for CitiGroup as an Information Security Officer.

Software Security and the Building Security in Maturity Model

 * Who: Dr. Gary McGraw, CTO of Cigital


 * Abstract: Using the framework described in my book "Software Security: Building Security In", I will discuss and describe the state of the practice in software security. This talk is peppered with real data from the field, based on my work with several large companies as a Cigital consultant. As a discipline, software security has made great progress over the last decade.  Of the sixty large-scale software security initiatives we are aware of, forty two all household names are currently included in the BSIMM study. Those companies among the forty-two who graciously agreed to be identified include: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo. The BSIMM was created by observing and analyzing real-world data from leading software security initiatives. The BSIMM can help you determine how your organization compares to other  real software security initiatives and what steps can be taken to make your approach more effective.

Defending against XSS

 * Who:  Jason Montgomery, SANS Instructor, Secure Coding in .NET: Developing Defensible Applications

 The presentation can be downloaded herein 

A video recorded at the Ohio Information Security Forum is available from here

Managing Risk with Threat Modeling

 * Who:  Anurag Agarwal, MyAppSecurity Founder


 * Abstract: Threats & vulnerabilities exploits are gaining momentum at many companies today because of the recent hacks at Sony, PBS, CIA and other high profile companies. Since these companies have already adopted mature vulnerability assessment and secure code analysis processes/tools and yet, there were negatively impacted by these hacks, proves the point that it's not enough to rely solely upon traditional application security assessments & tools to mitigate the risk and the impact of these hacks. The new approach is to use a threat modeling tool and a process to identify vulnerabilities during design and use Vulnerability Assessment (VA)  and/or  Static  Code  Analysis  (SCA) tools to validate that these threats and vulnerabilties are mitigated in the application and/or source code. More and more organizations have realized today, that identifying threats during the design phase and planning a technical risk mitigation strategy earlier in the SDLC helps in controlling of risks as well in the saving time and money. Threat Modeling can guide application development teams in ensuring that the organization's security policies are followed at time of design prior to the development and testing of the application. By creating pre-approved security requirements and by applying them with a repeatable and scalable process, you can assist your organization development teams in building a secure application easily and effortless.

The presentation can be downloaded from here

Magic Numbers - Proving Success Through 5 Powerful KPIs

 * Who:  Rafal Los, Application Security Evangelist at HP


 * Abstract: By now, most enterprises have figured out the dire need for software security assurance (SSA) programs, and are working on improving the security of their applications. The problems these organizations face now is that these initiatives are most often security-team-driven and either fear-based or run on "black magic".  As organizations  mature and start to examine budgets and program spending more  carefully - these SSA programs are having a difficult time explaining  what they do, and how (if at all) they're succeeding in lowering the  risk posture of their parent organization. This talk defines Key Performance Indicators (KPIs) which will help bridge the gaps between the business and the technical security team that supports it.  The KPIs presented will provide business context and assist in having a more intelligent conversation with the rest of the technology organization when it comes to answering the question "Is the [SSA] program working?".

How to Develop Secure Web Applications with the OWASP Enteprise Security API (ESAPI)

 * Who:  Andrea Cogliati Owner & Security Consultant, Dollos Srl


 * Abstract: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, U.S. Navy - SPAWAR, The World Bank, SANS Institute.

Top Website Vulnerabilities: Trends, Business Effects and How to Fight Them

 * Who:  Jeremiah Grossman, Founder & CTO of WhiteHat Security


 * Abstract: Jeremiah Grossman, Founder & CTO of WhiteHat Security, will draw from their most recent Website Security Statistics Report - A statistical picture from over five years of continuous vulnerability assessment results taken from over 3,000 websites across 400 organizations. This represents the largest, most complete, and unique dataset of its kind. The presentation will be purely metrics focused, specifically discussing which classes of vulnerabilities are the most prevalent, measured remediation rates, time-to-fix analysis, and sorted by industry and organization size. While already incredibly revealing, the discussion will also go further back into the SDLC to better understand how many and how often vulnerabilities are introduced. For some organizations the problem area may simply be the volume of vulnerabilities introduced. For other organizations the primary challenge is obtaining the resources to fix the vulnerabilities that are identified. For others, the greatest need is to accelerate the vulnerability resolution process. This is the level of detail organizations need to measurably improve their application security programs.

Meeting Sponsor https://www.owasp.org/images/4/4d/Whitehat.gif

ATM Threats, Vulnerabilities and Exploits

 * Who:  Barnaby Jack, Director of Research, IOActive


 * Abstract: The most common attacks on Automated Teller Machines (ATMs) typically involve the use of card skimmers or the physical theft of the machines. Barnaby Jack research goes beyond physical vulnerabilities and reveals software-based attacks. He will demonstrate both local and remote attacks, and reveal a multi-platform rootkit. The rootkit was specifically designed for ATMs to give an attacker the ability to dispense cash from the machine, retrieve ATM passwords and settings, and retrieve tracking data remotely.

Cloud Computing Security

 * Who:  Dr. James Walden, Assistant Professor Department of Computer Science at Northern Kentucky University


 * Abstract: Cloud computing is an emerging paradigm for large scale web application deployment. While cloud computing may reduce the complexity and costs of web application deployment, it also introduces new risks and requires a fundamentally different approach to security.  Traditional security approaches such as firewalls and network intrusion detection are either impossible or inappropriate for cloud applications. New risks include loss of governance, failure of compliance with regulations that assume infrastructure is physical rather than virtual, an expanded attack surface resulting from the connection between your organization and the cloud, and hypervisor attacks that may enable attackers on the same physical server to access your data.  This talk will address how these risks occur in the context of cloud computing and will examine ways to mitigate them.

The presentation can be downloaded from here

How to Prevent Business Flaws Vulnerabilities In Web Applications

 * Who:  Marco Morana, OWASP Cincinnati Chapter Lead OWASP Bio


 * Abstract: Business logic attacks (BLA) represent a growing threat for web applications. BLA specifically target the business logic of the application to exploit vulnerabilities that are uncommon and specific to the application logic. Example of these vulnerabilities include a flaw in the shopping cart of the application that allows a malicious user to alter the price of an item and access to unauthorized business transactions through forceful browsing to a web page bypassing the normal workflow of the application. Scope of the presentation is to analyze the threat posed by BLA and provide example on how a threat modeling methodology can be used to identify application specific application flaws and devise countermeasures so that these attacks can be both prevented and detected.

The presentation can be downloaded from here

= 2010 Presentations =

November Meeting

 * Presentation Title: Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications, Marco Morana, OWASP Cincinnati Chapter Lead OWASP Bio
 * The presentation can be downloaded from here


 * According to the Gartner hype curve, Web 2.0 technologies have reached a stage of mainstream adoption by businesses, therefore is critical for information and application security to understand the security implications of the adoption of Web 2.0 technologies. Web 2.0 not only amplify traditional Web 1.0 vulnerabilities such as XSS, CSRF and data injection vulnerabilities but also introduces new threats: this is due to the intrinsic functionality that Web 2.0 technology is designed to provide. For example, Web 2.0 technologies provide a richer client and user experience than Web 1.0, foster user’s collaboration to the sites through user's provided content and brings customers closer to businesses through participation to social networking sites. The first step is to perform a vulnerability and threat analysis of Web 2.0 applications. From vulnerability and threat analysis perspective, Web 2.0 application vulnerabilities can be analyzed using both OWASP Top 10 and WASC Top 50 threats categorizations. Critical to the vulnerability analysis of Web 2.0 applications is the determination of the vulnerability root causes. Only through the identification of the vulnerabilities root causes vulnerabilities can be eradicated. The second step is build secure Web 2.0 applications. Secure design and implementation of Web 2.0 applications starts with a plan for adoption of software security activities as part of the SDLC. Essential software security activities include the documentation of secure coding requirements for Web 2.0 such as for AJAX, secure design and review of Web 2.0 architectures, manual/automatic secure code reviews/analysis and security testing. Security testing need to target both Web 2.0 client/desktop components (e.g. FLASH, RIA, mashups) as well as server components/functionality (e.g. Web services). Finally, the third step includes managing the business risks that Web 2.0 design flaws and bugs might pose to the business. The OWASP risk methodology and a web 2.0 risk framework is proposed as methodology to analyze and manage Web 2.0 security risks. A simple example on how to integrate with Web 2.0 technology securely such as a twitter interface to a web site, it is also presented.

October Meeting

 * Presentation Title: TLS Renegotiation, the vulnerability, the twitter attack and ways to tell if your application is vulnerable and how to fix it Mr. Blaine Wilson, Information Security Architect at Great American Insurance :The presentation can be downloaded from here

September Meeting

 * Presentation Title:Data Security challenges in the all too Public and not so Private sectors Mr. Patrick Gray, Principal Security Strategist of Cisco Systems
 * The presentation can be downloaded from here
 * The Internet threat landscape has shifted. What used to be a playground for hackers, crackers, script kiddies and packet monkeys is now a borderless abyss of organized crime fueled by financial gain and state sponsored forays into our critical infrastructures. Cisco Systems' Patrick Gray, a twenty-year veteran of the FBI, will explore the current threat landscape by highlighting the newest cyber criminals and examining the latest tactics employed by these predators. Gray will address how spammers, phishers, botmasters and hackers interact with this new crime element utilizing Web 2.0 technologies and how we can prepare our infrastructures to stave off these relentless attacks and protect our critical business assets.

July Meeting

 * Presentation Title:Botnet Attacks and Web Application Defenses Gunter Ollmann VP of Research, Damballa
 * The presentation can be downloaded from here
 * Security researcher Gunter Ollmann of Damballa provides an analysis of the botnet threats and the crimeware used by cybercriminals including banking trojans such as Zeus. Information about the attacks used toward the soft targets such as the user's browser is dealt with including Man-in-The-Browser(MiTB)and Man In The Middle (MiTM) attacks. Examples on how these attacks techniques can be used for attacking banking customers are included as well as the protection strategies that banks can adopt for protecting from these attacks with specific emphasis on-line banking applications.

June Meeting

 * Presentation Title:Security of plugins compared to the main applications Dr James Walden, Assistant Professor Department of Computer Science at Northern Kentucky University
 * The presentation can be downloaded from here
 * Popular open source web applications have evolved into complex software ecosystems, consisting of a core maintained by a set of long term developers and a range of plugins developed by third parties. These plugins accomplish such tasks as adding forms to a content management system, connecting a blog with social networking systems, or even scanning for malware infecting the application. The security of such web applications depends as much on vulnerabilities found in plugins as it does in vulnerabilities in the application core. In this talk, we will examine the security of plugins and the impact of adding plugins to the security of those applications. We will look at empirical data, such as the number, types, and locations of vulnerabilities in these web applications, and examine how we can use such data to decide which applications to use and to decide how to focus our efforts security such applications.

May Meeting

 * Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications Clint Pollock, Senior Solutions Architect at Veracode

Meeting Sponsor Veracode, Inc.


 * The presentation can be downloaded from here
 * With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; (1) Prevalence of backdoors and malicious code in third party attacks; (2) Definitions and classifications of backdoors and their impact on your applications; (3) Methods to identify, track and remediate these vulnerabilities

April Meeting

 * Measuring Your Proactive Security Efforts  Cassio Goldschmidt Senior Manager Symantec Corporation.
 * The presentation can be downloaded from here
 * Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress. Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this pragmatic presentation we’ll discuss metrics used at Symantec, the world’s largest security ISV, to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally and how the numbers compare with the competition

March Meeting

 * Thick Client Application (In)Security Mr. Neelay S Shah Senior Software Security Consultant Foundstone Professional Services, A Division of McAfee Strategic Security
 * The presentation can be downloaded from here
 * Applications are becoming richer in terms of their user interface, attempting to leave a lasting impression on the users and wanting them to come back for more. Applications these days expose various ways for the user to interact with the application to create a “rich” application experience for the user. Thick client applications are the preferred choice to guarantee the above principles since they can leverage existing robust frameworks such as JAVA and .NET to create a rich user interface and are not limited by the browsers’ (in)ability to render the user interface elements. However with the increased sophistication, comes increased complexity and hence it is not uncommon to find client applications that are not only serving as the “presentation” tier but also potentially comprise of business logic to a varied extent. Security testing for thick client applications is a fairly involved and specialized task as compared to security testing web applications since each thick client is custom designed and developed for the application at hand. As such security testing each thick client application potentially involves dealing with different technologies and communication protocols and hence necessitates the use of different approaches. Attendees will learn the different strategies and methods that can be used for successfully testing thick client applications. We will discuss the different techniques to be able to bypass client side checks including methods for successfully understanding and intercepting client – server network communication. We will also evaluate the above mentioned techniques at depth in terms of their advantages, disadvantage and when to use the particular technique. This talk is intended for application testers, developers, project managers and application security professionals.

February Meeting
Meeting Sponsor https://www.owasp.org/images/d/dc/Accuvant.jpg
 * Modern Application Testing Methodologies, Mr. Mark Maxey Principal Consultant Accuvant


 * This talk will give an overview of contemporary application testing methodologies and tools. A comparison of the various methodologies will be provided in conjunction with the results of an in depth analysis of the various methodologies when paired against real world applications.

January Meeting

 * Microsoft Security Development Lifecycle Tools  Russell McMahon, Associate Professor of IT at the College of Applied Science, University of Cincinnati.
 * The presentation can be downloaded from here
 * This talk will focus on the tools that Microsoft has developed for aiding in creating more secure applications. Microsoft developed the SDL system back in 2004 and it has begun to mature, but it still has a way to go. They have incorporated their Threat Analysis Modeling (TAM) tool into their SDL system and now call it SDL-Line of Business (LOB) tool. This talk will also look at some of the other systems that exist for developing secure applications

= 2009 Presentations =

November Meeting

 * Virtual Patching for Web Applications: Theory and Practice Ryan Barnett, Director of Application Security Research, Breach Security Inc
 * Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes. This presentation will outline exactly when and where Virtual Patching is appropriate and will show the proper steps for their creation and testing.

October Meeting

 *  Threat analysis as methodology for deriving risk-based security tests of web application software Marco Morana OWASP Chapter Lead (presented at 2009 IMI Security Symposium & Expo)
 * The presentationcan be downloaded from here 
 * The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis. The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics. Often companies use security tests for meeting compliance requirements such as PCI-DSS, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations today it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities. From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.

September Meeting

 * The rise of threat analysis and the fall of compliance in mitigating cybercrime risks Marco Morana OWASP Chapter Lead (also presented to OWASP LA and Orange County Chapters)
 * On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: the theft of 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. This massive theft of credit card data happened despite Heartland Payment Systems and Hannaford Bros companies passed security audits in compliance with PCI-DSS standard. This fact, let to question the effectiveness of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards in reducing the likelihood of data breaches, identity theft, and the credit card fraud. This presentation will further analyze the impact of these data breaches by monetizing the losses as being reported in quarterly earnings reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of the incident. It is shown as monetizing the loss due to data breaches helps to frame non-compliance risks as a factor of business impact to mitigate non compliance fines. Traditional compliance and audit driven security assessments efforts are compared with a threat analysis approach: it is demonstrated that cybercrime risks require organizations to move beyond audit and compliance. Moving beyond means understanding complex threat scenarios and study attacks in the wild with cyber-intelligence. Cases of publicly reported cybercrime attacks are used to outline the new threat landscape and the attack scenarios. The attacker motives and the means to achieve them will be analyzed by using attack trees:an attack tree can be used to analyze cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of multi-factor authentication against attacks such as MiTM (Man In The Middle). Examples of attack vectors for testing defenses against cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to identify the entry points for attack vectors, the user access levels that can be exploited and to enumerate threats, attacks, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated as strategy to build countermeasures using security by design architecture principles. Finally, risk mitigation strategies will be discussed as self-awareness questions. The presentation re-affirms that audit and compliance needs to be approached as factor of minimum business risk mitigation. A cybercrime risk mitigation strategy needs to considerapplication threat modeling as critical assessment for high risk web applications.

August Meeting

 * OWASP T10 For Web Services  Marco Morana OWASP Chapter Lead
 * The presentation is available herein
 * Following the video presentation from Gunnar Peterson talk at OWASP USA NYC 08 AppSec Conference a summary of OWASP T10 Vulnerabilities for Web Services is highlighted as well as the recommended countermeasures. Discussion points around Web Services security were proposed for discussion as well further reference to OWASP Web Services Security resources.

July Meeting

 * An Empirical Study of Web Application Security Trends  Dr. James Walden Assistant Professor Department of Computer Science Northern Kentucky University
 * What is the current state of web application security? Are web applications more or less secure than they were last year?  This presentation will attempt to answer those questions through an empirical study of popular open source web applications over the past two years.  Data and statistics on vulnerability density, vulnerability types, and vulnerability severity will be analyzed, along with software metrics that may reflect application security.

June Meeting

 * The Web Hacking Incidents Database (WHID) – 2009 Analysis  Ryan Barnett -Breach Security Inc

Meeting Sponsor https://www.owasp.org/images/9/9c/Breach_logo.gif


 * The presentation is available herein
 * The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This presentation will highlight the statistics gathered from the 1st half of 2009 (January – June) and provide insight into categories such as: 1) Top Attack Methods, 2) Top Compromise Outcomes, 3) Top Target Geographic Region, 4) Top Vertical Markets Hit. The presenter will also provide some in-depth analysis for emerging threats/attack techniques such as planting of malware on websites and reflected cross-site scripting through sql injection.

May Meeting

 * OWASP T10 Vulnerabilities and Security Design Flaws Root Causes  Marco Morana OWASP Chapter Lead
 * The presentation is available herein.
 * The fact that security flaws are still so pervasive in web applications today highlights the need to identify and fix them by looking at the root causes in the application architecture. This presentation will look at OWASP T10 vulnerabilities from the perspective of root causes in design and provide examples on how these vulnerabilities can be identified in a threat model and mitigated at different layers of the application architecture. Strategic and tactical approaches to the OWASP T10 will be discussed. The strategic approach will cover concepts and principles of security by design such as secure architecture principles and requirements for designing security controls. The OWASP Application Threat Modeling process is provided as reference even if not discussed with this presentation.

April Meeting

 * April 28th Presentation: Bad Cocktail: Application Security Flaws + Targeted Phishing  Rohyt Belani is CEO and co-founder of  Intrepidus Group
 * The presentation is available herein.
 * Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies...and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a "hackers" repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result - hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.

March Meeting

 * March 24th Presentation: Application Testing Methods and Modern Threats  Presenter: Mark Maxey Principal Consultant – Application Specialist – Accuvant, Inc
 * Walk through the state of the available tools and around finding vulnerabilities, and tie the discussion into PCI DSS

January Meeting

 * Threat Analysis and Modeling  Russell McMahon, associate professor of IT at the College of Applied Science, University of Cincinnati.
 * Security is a big issue and all too often it is only thought of as it applies to the network administrator. However, programmers face a host of threats to their applications. The solution is to build a threat model. The purpose of a threat model is to aid in identifying potential threats before a system is built, not after. This talk will cover some of the common threats to applications and how to prevent them. This talk is based upon Microsoft's Threat Analysis and Modeling (TAM) tool and their newest version which is now part of their Security Development Lifecycle (SDL). This tool has been used by companies such as Ford and Boeing as a part of their total information life cycle process. Additional resources will also be discussed.

= 2008 Presentations =

November Meeting

 * Web App Hacking for Developers Jeremiah Blatz, Senior Security Consultant, Foundstone Professional Services
 * The presentation is available herein.
 * How safe are your web applications? You'll think twice after seeing how Foundstone security experts dig into their hacker's toolbox and rip open web applications by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery. Even if you've seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Countermeasures to prevent mistakes will then be shared.

October Meeting

 * Phishing: Trends and Countermeasures Blaine Wilson, Information Security Architect, Great American Insurance Group
 * The presentation is available herein.
 * The presentation covered the current trends in phishing and how to establish countermeasures both from an infrastructure perspective, an application development perspective and the user awareness training.

September Meeting

 * Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana (TISO Citigroup) & Scott Nusbaum (Security Analyst Citigroup)
 * The presentation is available herein.


 * Input validation vulnerabilities in web applications can be exploited with attack vectors to cause business impacts such as information disclosure, data alteration and destruction, denial or degradation of service, financial loss fraud and reputation brand damage. Several web applications today have implemented filtering techniques to block such attack vectors; unfortunately such filtering techniques are seldom based on black lists that fail when attackers use filter evasion techniques such as single and double encoding. This presentation will cover the basic understanding of attack vectors, the malicious payloads that can be carried out and the techniques used by attackers to evade input validation filters. Lists of different variations of encoded XSS attack vectors and constructed SQL injection vectors will be presented. From the defensive perspective, these lists can be used as cheat sheets for testing the efficacy of the input filtering techniques. A demonstration of a sample implementation of effective input validation using J2EE struts framework is also presented. During the presentation, web application developers and architects will be introduced to the concepts of canonicalization, encoding and sanitization and guided on the most effective input validation strategies and techniques as well as on the best use of available input validation resources from OWASP.

August Meeting

 * The OWASP Enterprise Security API (ESAPI) Joe Combs, Staff Consultant, SEI-Cincinnati LLC
 * The presentation is available herein.


 * Security controls are central to developing secure applications, yet few development teams code them properly (if they code them at all!). The OWASP Enterprise Security API (ESAPI) provides a set of well defined interfaces for doing security "right" within your application and provides a reference implementation of these interfaces.  ESAPI handles difficult tasks such as validation, encoding, encryption, and more.  This presentation will provide a guided tour of ESAPI capabilities and recommended usage to combat the most pernicious vulnerabilities.

July Meeting

 * Building Security Into Applications - Marco M. Morana, TISO Citigroup 
 * The presentation is available herein.


 * What is the best way to start a software security initiative within your organization? First you need to present the business case to the management in terms of costs, threats and root causes. Subsequently you need to provide a roadmap. The first step of the roadmap is to evaluate the maturity of secure software development processes, tools and training. The next step is to adopt a framework for software security activities, software development and risk management processes: software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP are examples of security engineering frameworks that can be used. Software security activities such as threat modeling, secure code reviews and security testing work as checkpoints to validate software artifacts and manage software security risks. Finally data such as vulnerability metrics and process management metrics helps to manage and optimize the software security processes in the long term and show the effectiveness of the software security initiative to the organization.

June Meeting

 * SQl Injection - Dr. James Walden, Northern Kentucky University
 * The presentation is available herein.


 * Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

 * Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup
 * The presentation is available herein.


 * CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

 * The New Face of Cybercrime Movie Premiere And Follow Up Discussion.
 * Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

Meeting Sponsor http://www.owasp.org/images/4/4b/Fortify_1.jpg


 * The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

 * Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup
 * Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software.  Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.


 * An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup
 * Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.  The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

 * OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

 * Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.


 * Webgoat and Webscarab Security Tools Use Cases - Blaine Wilson (Citigroup, TISO)


 * The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

= Cincinnati OWASP Chapter Board Members= Scope of the board is to discuss and approve local activities, meetings and plans.The board meets informally on the by-weekly basis every other Friday at 7.30 AM at Panera Bread in Blue Ash Directions

The board currently includes the following members:  
 * Chapter Leader: [mailto:andywillingham@gmail.com Andy Willingham]
 * Chapter Leader On Leave: [mailto:marco.m.morana@gmail.com Marco Mirko Morana]
 * Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
 * Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
 * Chairman of the Board: [mailto:wayne.browning@citi.com H. Wayne Browning]
 * Job Postings/Linkedin: [mailto:Brianvn2010@gmail.com Brian Van Norman]

= About OWASP = The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership
OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.