Cincinnati

Welcome to the Cincinnati OWASP Local Chapter. This chapter was started in 2008 by the current chapter leader Marco Morana. We encourage sharing application security knowledge among the local security community by helding chapter meetings monthly. The OWASP chapter meetings are free and open to anyone interested in application security. Prior to participating with OWASP please review the Chapter Rules. OWASP is a non profit organization and as such we rely on OWASP Membership fees and corporation financial support. Organization supporters & direct donations to OWASP are fully tax deductible. We encourage your financial support to the chapter as well as to the OWASP organization through the following link:

Cincinnati

To join the chapter mailing list, please visit our mailing list homepage. The chapter mailing list has currently 94 subscribers.The list is used to discuss the meetings and to arrange meeting locations. You can also review the email archives to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Upcoming November Meeting

 * When: Wednesday, November 25th, 12.00 - 13.30 PM 
 * If you plan to attend the meeting please RSVP by email [mailto:marco.m.morana@gmail.com Marco Morana] (marco[dot]m[dot]morana[at]gmail[dot]com) by Monday Nov 23rd.


 * Presenter: Ryan Barnett, Director of Application Security Research, Breach Security Inc.


 * What: Virtual Patching for Web Applications: Theory and Practice
 * Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes. This presentation will outline exactly when and where Virtual Patching is appropriate and will show the proper steps for their creation and testing.


 * Presenter Bio: Ryan C. Barnett is the Director of Application Security Research at Breach Security  where he leads Breach Security Labs. He is a frequent speaker at industry conferences such as Blackhat and is a Faculty Member for the SANS Institute and Team Lead for the Center for Internet Security Apache Benchmark Project. He is the OWASP ModSecurity Core Rule Set (CRS) Project Leader and a member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache".


 * Location / Venue Sponsor: Citibank 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537
 * For help with directions contact Citi Blue Ash help desk at (513) 979-9000 or check directions herein.
 * Please access the building from the visitor lobby. OWASP meetings are held at the "Buckeyes" lecture room.


 * Agenda
 * 11.45-12.00 Registration
 * 12:00 - 1:00 Presentation


 *  Proof of ID is required to attend the meeting
 * Citi guards verify that you pre-registered to the meeting by checking the RSVP list. Once you are checked and identified (please bring a proof of ID) you will be granted visitor access to the training facilities.


 *  Presentation logistics
 * The Citi sponsored lecture room can host up to 53 people and is equipped with video and audio system to be used with the presenter's laptop.

2009 Meetings Calendar
This is a provisory calendar and the incoming meeting is confirmed on month to month basis. We always look for good speakers/presenters. If you would like to present a topic, or if you wish to held the meeting at your company premises please send an email to the [mailto:marco.m.morana@gmail.com chapter leader]. For a topic selection please take into consideration the topic of interest from the members topic poll.
 * January 9 Speaker Presentation: Threat Analysis and Modeling  Russell McMahon associate professor of IT at the College of Applied Science, University of Cincinnati.
 * February 29  OWASP Video & Forum Discussion: Exploiting Security Program Defects Through Case Studies  Vijay Akasapu & Marshall Heilman Mandiant
 * March 24  Speaker Presentation: Application Testing Methods and Modern Threats Mark Maxey Principal Consultant, Accuvant
 * April 28 Speaker Presentation : Bad Cocktail: Application Security Flaws + Targeted Phishing Rohyt Belani CEO Intrepidus Group
 * May 26  Speaker Presentation: OWASP T10 and Security Design Flaws Root Causes Marco Morana, Technology Information Security Officer Citigroup
 * June 23 Speaker Presentation: The Web Hacking Incidents Database (WHID) – 2009 Analysis  Ryan Barnett, Director of Application Security Research at Breach Security
 * July 21  Speaker Presentation: Speaker Topic TBD Presenter Dr. James Walden Assistant Professor Department of Computer Science Northern Kentucky University
 * August 25  OWASP Video & Forum Discussion: OWASP Web Services Top Ten by Gunnar Peterson
 * September 29  Speaker Presentation: The rise of threat analysis and the fall of compliance in mitigating cybercrime risks  Marco Morana, OWASP Chapter Lead
 * October 30  OWASP get together: IMI Security Summit
 * November 25  Speaker Presentation: Mod Security and CSR Ryan Barnett, Director Application Security Research, Breach Security Inc.
 * December 16  OWASP Video & Forum Discussion: Static Analysis Tools Discussion Forum By TBD

OWASP Chapter Meeting Topics Selection For 2009 (Mailing List Poll)
Speakers can refer to the following topic's list for discussion being selected by the local chapter members topic poll. Cincinnati members have VERY HIGH interest for Security Testing, HIGH interest for: Attacks to Financial Applications, Web Services Security, Static Analysis Tools and Web-based Malware MEDIUM interest for Secure Architecture Design and MILD interest for Threat Modeling and Secure Software Development.

October Meeting

 *  Threat analysis as methodology for deriving risk-based security tests of web application software Marco Morana OWASP Chapter Lead (presented at 2009 IMI Security Symposium & Expo)
 * The presentationcan be downloaded from here 
 * The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis. The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics. Often companies use security tests for meeting compliance requirements such as PCI-DSS, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations today it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities. From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.

September Meeting

 * The rise of threat analysis and the fall of compliance in mitigating cybercrime risks Marco Morana OWASP Chapter Lead (also presented to OWASP LA and Orange County Chapters)
 * On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of these data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure. It is shown as monetizing the loss due to data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure. The effectiveness of traditional compliance-driven security assessments efforts is compared with a threat analysis approach and it is demonstrated how cybercrime risks can be mitigated by understanding threat scenarios through cyber-intelligence: cases of publicly reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. The attacker motives and the means to achieve them will be analyzed by using attack trees:a attack tress allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, mitigation strategies against cybercrime attacks will be discussed as self-awareness questions. The presentation re-affirms that compliance needs to be approached as factor of business risk and needs to consider threat risk modeling and application threat modeling as critical assessments to mitigate cybercrime risks to web applications.

August Meeting

 * OWASP T10 For Web Services  Marco Morana OWASP Chapter Lead
 * The presentation is available herein
 * Following the video presentation from Gunnar Peterson talk at OWASP USA NYC 08 AppSec Conference a summary of OWASP T10 Vulnerabilities for Web Services is highlighted as well as the recommended countermeasures. Discussion points around Web Services security were proposed for discussion as well further reference to OWASP Web Services Security resources.

July Meeting

 * An Empirical Study of Web Application Security Trends  Dr. James Walden Assistant Professor Department of Computer Science Northern Kentucky University
 * What is the current state of web application security? Are web applications more or less secure than they were last year?  This presentation will attempt to answer those questions through an empirical study of popular open source web applications over the past two years.  Data and statistics on vulnerability density, vulnerability types, and vulnerability severity will be analyzed, along with software metrics that may reflect application security.

June Meeting

 * The Web Hacking Incidents Database (WHID) – 2009 Analysis  Ryan Barnett -Breach Security Inc

Meeting Sponsor https://www.owasp.org/images/9/9c/Breach_logo.gif


 * The presentation is available herein
 * The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This presentation will highlight the statistics gathered from the 1st half of 2009 (January – June) and provide insight into categories such as: 1) Top Attack Methods, 2) Top Compromise Outcomes, 3) Top Target Geographic Region, 4) Top Vertical Markets Hit. The presenter will also provide some in-depth analysis for emerging threats/attack techniques such as planting of malware on websites and reflected cross-site scripting through sql injection.

May Meeting

 * OWASP T10 Vulnerabilities and Security Design Flaws Root Causes  Marco Morana OWASP Chapter Lead
 * The presentation is available herein.
 * The fact that security flaws are still so pervasive in web applications today highlights the need to identify and fix them by looking at the root causes in the application architecture. This presentation will look at OWASP T10 vulnerabilities from the perspective of root causes in design and provide examples on how these vulnerabilities can be identified in a threat model and mitigated at different layers of the application architecture. Strategic and tactical approaches to the OWASP T10 will be discussed. The strategic approach will cover concepts and principles of security by design such as secure architecture principles and requirements for designing security controls. The OWASP Application Threat Modeling process is provided as reference even if not discussed with this presentation.

April Meeting

 * April 28th Presentation: Bad Cocktail: Application Security Flaws + Targeted Phishing  Rohyt Belani is CEO and co-founder of  Intrepidus Group
 * The presentation is available herein.
 * Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies...and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a "hackers" repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result - hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.

March Meeting

 * March 24th Presentation: Application Testing Methods and Modern Threats  Presenter: Mark Maxey Principal Consultant – Application Specialist – Accuvant, Inc
 * Walk through the state of the available tools and around finding vulnerabilities, and tie the discussion into PCI DSS

January Meeting

 * Threat Analysis and Modeling  Russell McMahon, associate professor of IT at the College of Applied Science, University of Cincinnati.
 * Security is a big issue and all too often it is only thought of as it applies to the network administrator. However, programmers face a host of threats to their applications. The solution is to build a threat model. The purpose of a threat model is to aid in identifying potential threats before a system is built, not after. This talk will cover some of the common threats to applications and how to prevent them. This talk is based upon Microsoft's Threat Analysis and Modeling (TAM) tool and their newest version which is now part of their Security Development Lifecycle (SDL). This tool has been used by companies such as Ford and Boeing as a part of their total information life cycle process. Additional resources will also be discussed.

November Meeting

 * Web App Hacking for Developers Jeremiah Blatz, Senior Security Consultant, Foundstone Professional Services
 * The presentation is available herein.
 * How safe are your web applications? You'll think twice after seeing how Foundstone security experts dig into their hacker's toolbox and rip open web applications by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery. Even if you've seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Countermeasures to prevent mistakes will then be shared.

October Meeting

 * Phishing: Trends and Countermeasures Blaine Wilson, Information Security Architect, Great American Insurance Group
 * The presentation is available herein.
 * The presentation covered the current trends in phishing and how to establish countermeasures both from an infrastructure perspective, an application development perspective and the user awareness training.

September Meeting

 * Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana (TISO Citigroup) & Scott Nusbaum (Security Analyst Citigroup)
 * The presentation is available herein.


 * Input validation vulnerabilities in web applications can be exploited with attack vectors to cause business impacts such as information disclosure, data alteration and destruction, denial or degradation of service, financial loss fraud and reputation brand damage. Several web applications today have implemented filtering techniques to block such attack vectors; unfortunately such filtering techniques are seldom based on black lists that fail when attackers use filter evasion techniques such as single and double encoding. This presentation will cover the basic understanding of attack vectors, the malicious payloads that can be carried out and the techniques used by attackers to evade input validation filters. Lists of different variations of encoded XSS attack vectors and constructed SQL injection vectors will be presented. From the defensive perspective, these lists can be used as cheat sheets for testing the efficacy of the input filtering techniques. A demonstration of a sample implementation of effective input validation using J2EE struts framework is also presented. During the presentation, web application developers and architects will be introduced to the concepts of canonicalization, encoding and sanitization and guided on the most effective input validation strategies and techniques as well as on the best use of available input validation resources from OWASP.

August Meeting

 * The OWASP Enterprise Security API (ESAPI) Joe Combs, Staff Consultant, SEI-Cincinnati LLC
 * The presentation is available herein.


 * Security controls are central to developing secure applications, yet few development teams code them properly (if they code them at all!). The OWASP Enterprise Security API (ESAPI) provides a set of well defined interfaces for doing security "right" within your application and provides a reference implementation of these interfaces.  ESAPI handles difficult tasks such as validation, encoding, encryption, and more.  This presentation will provide a guided tour of ESAPI capabilities and recommended usage to combat the most pernicious vulnerabilities.

July Meeting

 * Building Security Into Applications - Marco M. Morana, TISO Citigroup 
 * The presentation is available herein.


 * What is the best way to start a software security initiative within your organization? First you need to present the business case to the management in terms of costs, threats and root causes. Subsequently you need to provide a roadmap. The first step of the roadmap is to evaluate the maturity of secure software development processes, tools and training. The next step is to adopt a framework for software security activities, software development and risk management processes: software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP are examples of security engineering frameworks that can be used. Software security activities such as threat modeling, secure code reviews and security testing work as checkpoints to validate software artifacts and manage software security risks. Finally data such as vulnerability metrics and process management metrics helps to manage and optimize the software security processes in the long term and show the effectiveness of the software security initiative to the organization.

June Meeting

 * SQl Injection - Dr. James Walden, Northern Kentucky University
 * The presentation is available herein.


 * Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

 * Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup
 * The presentation is available herein.


 * CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

 * The New Face of Cybercrime Movie Premiere And Follow Up Discussion.
 * Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

Meeting Sponsor http://www.owasp.org/images/4/4b/Fortify_1.jpg


 * The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

 * Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup
 * Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software.  Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.


 * An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup
 * Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.  The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

 * OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

 * Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.


 * Webgoat and Webscarab Security Tools Use Cases - Blaine Wilson (Citigroup, TISO)


 * The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Board Members
Scope of the board is to discuss and approve local activities, meetings and plans.The board meets informally on the by-weekly basis every other Friday at 7.30 AM at Panera Bread in Blue Ash Directions

The board currently includes the following members:  
 * Chapter Leader: [mailto:marco.m.morana@gmail.com Marco Morana]
 * Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
 * Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
 * Chairman of the Board: [mailto:wayne.browning@citi.com H. Wayne Browning]
 * Public Relations: [mailto:aerickson@lucruminc.com Andy Erickson]

About OWASP
The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership
OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.