Cleveland

Upcoming Meetings
October 5, 2017 at 11:30 AM

All meetings are held at SecureState (23340 Miles Road Bedford Heights, OH 44128)

Presentation: Hands-on Demonstration of Common Web Application Penetration Testing Tools

Web application penetration testing tools are a critical element to validating the security of web applications. These tools typically work by injecting a series of malicious payloads within insertion points in HTTP requests and analyze deviations within responses returned by the application to identify the existence of vulnerabilities.

Presenter Ryan Brown will deliver a hands-on demonstration of the following tools and review in depth some of the functionalities and features they possess:
 * Burp Suite: produced by Portswigger is the industry leading tool for web application penetration testing. This powerful framework provides support for a series of useful functionalities including but not limited to traffic interception, application mapping, fuzzing and crawling as well as automated scanning.
 * SQLMap: an open source penetration testing tool designed to automate the identification and exploitation of SQL injection vulnerabilities.
 * Commix: like SQLMap, is a testing tool designed to automate the identification and exploitation of command injection vulnerabilities.

Speaker Bio: Ryan Brown is a Red Team Security and Research Analyst at SecureState specializing in web application penetration testing. In his tenure with SecureState, Ryan has worked with organizations across a variety of industries, providing him with the expertise and knowledge of the security posture that exists within web applications.

-

We are always looking for new speakers to present at our meetings! If you are interested in speaking at an upcoming OWASP meeting, please contact Courtney Satink at [mailto:csatink@securestate.com csatink@securestate.com] with your idea.

Past Events:
Presentation: Hands-on Demonstration of Common Web Application Penetration Testing Tools

Abstract: Web application penetration testing tools are a critical element to validating the security of web applications. These tools typically work by injecting a series of malicious payloads within insertion points in HTTP requests and analyze deviations within responses returned by the application to identify the existence of vulnerabilities.

Presenter Ryan Brown will deliver a hands-on demonstration of the following tools and review in depth some of the functionalities and features they possess:
 * Burp Suite: produced by Portswigger is the industry leading tool for web application penetration testing. This powerful framework provides support for a series of useful functionalities including but not limited to traffic interception, application mapping, fuzzing and crawling as well as automated scanning.
 * SQLMap: an open source penetration testing tool designed to automate the identification and exploitation of SQL injection vulnerabilities.
 * Commix: like SQLMap, is a testing tool designed to automate the identification and exploitation of command injection vulnerabilities.

Speaker Bio: Ryan Brown is a Red Team Security and Research Analyst at SecureState specializing in web application penetration testing. In his tenure with SecureState, Ryan has worked with organizations across a variety of industries, providing him with the expertise and knowledge of the security posture that exists within web applications. - Presentation: Warning Ahead: Security Storms are Brewing in Your JavaScript

Abstract: JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.

In this talk we will explore the vulnerabilities behind Javascript, including:


 * A new class of vulnerabilities unique only to JavaScript
 * Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code
 * A new set of vulnerabilities enabled by HTML5

Speaker Bio: Scott McBain has been developing and directing the development of security-conscious commercial applications for 20 years. He has held a variety of roles from developer, DBA /Unix sysadmin, development manager, to cloud/infrastructure architect. Prior to coming to Checkmarx, he designed and implemented cloud environments for Accuity, a unit of Reed Elsevier. He holds a BA in Economics and Classical Languages and Literatures from the University of Michigan.

-

Presentation: An Intro to Transport Layer Security

Abstract: The web (and the Internet at large) is undergoing a slow but steady transition to the default use of encrypted protocols rather than their less secure cleartext counterparts. This trend has resulted in the sharply increasing popularity of Transport Layer Security (TLS). Mozilla recently found that 50% of pages are now loaded over HTTPS, browsers have begun to warn users when they are using unencrypted connections for sensitive operations, and Let's Encrypt has made obtaining certificates free and easy.

As the barriers to TLS adoption fall, it is unavoidable that web developers and administrators will need a working knowledge of modern cryptography. Presenter Travis Suel will cover the high-level concepts needed to develop and maintain modern, secure TLS configurations including public and symmetric-key cryptography.

Speaker Bio: Speaker Bio: Travis Suel is a senior analyst at SecureState who manages SecureState's web and mobile application security services. Travis's background consists of systems and web development in addition to experience deploying and adminstering web applications and their supporting software (web servers, databases, etc.).

-

Presentation: Threat Modeling

Abstract: How do you know how to build your application securely, or what to look for when you are performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. Also, there are security issues that other analysis techniques like penetration testing and code review cannot find. Threat modeling can be used to discover design weaknesses that cannot be found using other analysis techniques.

This talk details a threat modeling process and methodology to teach the audience how to identify the assets, security controls, and threat agents for a given system. The talk goes on to show how this information can be used to create a prioritized list of test cases for other security activities, as well as find design weaknesses and propose appropriate mitigations.

Speaker Bio: Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Master’s degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security problems.

-

Presentation: A Touch(ID) of iOS Security

Abstract: As mobile devices become more and more prevalent in our lives, the clash between security and usability moves to the forefront. Apple integrated TouchID into its main mobile devices products (iPhones/iPads). In Apple’s controlled fashion, access to the TouchID was unavailable at first and has been expanded over subsequent releases. With this expansion is a new world of authentication possible?

In this talk, we will explore the architecture of TouchID and the how Apple is pushing biometrics into the forefront of consumer-based products. As companies start embracing biometrics, there are standard client-side authentication risks and TouchID Implementations risk. We will explore the architecture and common implementations, to understand possible hidden risks, and how to strengthen the implementations.

Speaker Bio: Jamie Bowser is a Technical Strategist who has over 20 years of information technology experience in a variety of roles including Web Application developer/architect, Unix Administrator, and Systems Analyst. Mr. Bowser has worked with a number of Fortune 500 companies, including Morgan Stanley, JP Morgan Chase, and Key Corp. As a Technical Strategist at Cigital, he has overseen and performed Mobile Strategic Consulting, Mobile Application Penetration Testing and Mobile Application Source Code reviews of systems built from a few thousand lines of code to systems containing tens of millions of lines of code (Java, .Net, and Objective-C). Currently, Mr. Bowser focuses on iOS Static and Dynamic testing tool development.

-

Presentation: Awareness Training: Failure to Engage is Failure to Secure

Abstract: We call it security awareness training, but all we ever give our employees is regurgitated knowledge. Their passwords suck, don’t trust user input, and make sure you complete the secure coding standard checklist. Mix in some yearly reviews of policies and procedures and you have the perfect recipe for an employee who stopped listening hours ago. You don't truly learn something until you understand "why" and that comes when employees are engaged and motivated. This is my take on how to engage through gaming, running your own internal CTF with OWASP Security Shepherd, pentest training with OWASP ZAP, and why it works.

Speaker Bio: Mike Woolard is a security analyst who has worked in the IT field for 17+ years. A broad background from helpdesk to sysadmin, system engineer, networking, DB and development work. Most of Mike's work now centers around pentests and risk assessments, but an integral part will always be awareness training. An active member in various local security groups including NEOISF, OWASP, infragard and the Information Security Summit.

-

Presentation: Securing Severless Apps

Abstract: Thanks to a combination of Amazon Web Services (AWS) technologies, it's now possible to host certain web applications without the need for a central server. The JavaScript AWS SDK allows endpoints to interact directly with data, which opens the door for completely client-driven apps. However, the complexity quickly increases when we consider security - how we manage access and encrypt data effectively. This presentation will cover the challenges encountered during the creation of a real life serverless application, and how the team used a combination of local and cloud hosted solutions to achieve their goals.

Speaker Bios: Steve Ocepek - has been working with security technologies for over a decade, with a focus on network security that has included five patents. He has presented at Defcon, Black Hat, and RSA, and has built security programs for both government and Fortune 500 companies.

Devin Shimola - has recently joined the security and software development community as a developer for SecureState after graduating from Baldwin Wallace University. He has been working with Amazon Web Services to create client-side browser based applications while also working in .Net to create tools to bridge the gap between cloud services and legacy applications.

-

Presentation: Tools and Procedures for Securing .NET Applications

Abstract: With security attacks on the rise, protecting your applications and data is more of a necessity than ever before. We’ll discuss some of the features provided by Visual Studio and the .Net framework, such as Dotfuscator, SignTool, and encryption tools. In addition we'll look at other protective measures such as early intrusion detection, mitigation, and Social Engineering. These are topics not typically covered in other security presentations or material.

Speaker Bio: Sam Nasr has been a software developer since 1995, focusing mostly on Microsoft technologies. Having achieved multiple certifications from Microsoft (MCAD, MCTS(MOSS), and MCT), Sam develops, teaches, and tours the country to present various topics in .Net Framework. He is also actively involved with the Cleveland C#/VB.Net User Group, where he has been the group leader since 2003. In addition, he also started the Cleveland WPF Users Group in June 2009, and the Cleveland .Net Study Group in August 2009, and is the INETA mentor for Ohio. When not coding, Sam loves spending time with his family and friends or volunteering at his local church. He can be reached by email at sam@nasr.info.

-

Presentation: Security Code Review: A Radical Departure from Everything You Know and Love (to hate) About Code Review 

Abstract: Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. In this talk, experts will cover commonly asked questions such as:

How can you change the way you apply source code review using modern and freely available tools in order to provide high-quality review? What, specifically, can you do to avoid the critical flaws we commonly find? How do you scale the effort up to an enterprise worth of applications? How do you scale the effort down to the space in which a 2 week sprint lives? And finally, how do you apply it to continuous deployment?

Speaker Bios: John Steven - John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. He has been leading source code analysis for over 15 years, reviewing everything from kernels, to hypervisors and virtual machines, to massive 20+MLoC web sites and mobile apps. He’s researched static analysis tools and aspect compilers extensively and helped design and build the HP/Fortify SCA tool. As a software developer he’s led design and development of security services and business-critical production applications for large organizations in a range of verticals. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks regularly at conferences and trade shows.

Kevin Glavin - Kevin Glavin is a Senior Consultant who has over 10 years of experience in a variety of roles including Lead Developer, Software Assurance Specialist, and Software Security Analyst. Kevin has worked with a number of Fortune 250 and multi-national companies, as well as government agencies. As a consultant at Cigital, he has led secure code review, penetration testing (hardware, software, and network), and architectural risk analysis of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. He specializes in integrating security testing techniques into existing tools and SDLC methodologies, and leveraging DevOps practices for consistency and agility.

-

Presentation: Cracking and Fixing REST Services

Abstract: REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.

Speaker Bio: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

-

Presentation: Security Omnipresence: Infiltrating Every Level of a Mature Development Lifecycle

Abstract: It’s easy for a security professional to feel like he’s alone, especially when there are already mature processes in place designed to function without him. And if he does finally break into the development lifecycle, he certainly can’t be everywhere at once. Or can he? We’ll show you how we infiltrated the development lifecycle, spread the message of security, and recruited shadowy agents of change to achieve security omnipresence.

This presentation tells the story of how we were able to integrate concepts from the MS security development lifecycle into the long-established processes in our company. We'll talk about how the initiative started independently in 2 departments for different reasons, yet we combined all our efforts to create a very effective and customized security program.

From our participation in local infosec groups and meetings, we realized that security professionals are having trouble truly integrating security into their company's processes and culture. This talk actually was born from a request by our local OWASP chapter for us to tell the story of how we got as far as having QA doing security testing on top of Development following SDL practices.

Moreover, people seem to get hung up on the idea that security tools and software will solve their problems, when that's not the case. Security is all about the mindset, and that's one of the main points we want to convey.

Speaker Bios: Marion Nepomuceno - is a security engineer at Hyland Software in charge of developing training materials, and working closely with the nearly 200-person development staff on improving their secure coding skills and the security of the product. Marion has given several presentations and classes to audiences of varying sizes on the topic of security concepts and the SDL. He headed up the project to re-fit Microsoft's SDL processes to work within Hyland which houses several different waterfall-based and agile processes. This project has enjoyed significant success that has drawn the attention of the local security community.

Kris French - is a security tester at Hyland Software, and single-handedly created the security program for the QA department. Kris is in charge of creating training materials, creating and leading classes for his security-focused internal education track, managing the QA security champions group, and collaborating with development to aid in the creation of an overall security direction for the company. Kris is also an active member in his local security community and frequent contributor to the proceedings of the OWASP Cleveland chapter. How to foster company-wide adoption

-

Presentation: Information Disclosure: Looking Beyond Vulnerabilities to Freebies

Abstract: While the application security community is focused on tools that test for various vulnerabilities, your servers, developers and organization could be giving out valuable details that just makes an attacker's job so much easier - free information. No vulnerability scanner will find the Stack Overflow post with admin credentials, or the 'hidden' file with a test account, or that obscure error message that makes your database barf. Bill will take you through hands on testing that you can try today: finding out about what your applications, servers, networks, and people are telling attackers about your innermost secrets.

Speaker Bio: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

-

Presentation: "Lessons Learned from HealthCare.gov - Integrating Security into Complex Software Deployments"

Video of January's Presentation, Lessons Learned from HealthCare.gov, is available HERE

Abstract: The recent problems with Healthcare.gov highlight the fact that many organizations still struggle to secure applications they develop. During this talk, SecureState will take an apolitical approach to looking at what lessons can be learned from the Healthcare.gov rollout and how these lessons can be applied to software you are developing. During this talk, SecureState will use firsthand experience gained from helping a state based health exchange become operational and compliant to the various federal security standards, as well as public information on the security challenges the national exchange faces.

Speaker Bio: Chris Clymer - As the Manager of SecureState’s Advisory Services practice, Chris Clymer works on the design and management of Security Programs as clients’ Security Program Manager (SPM). Chris’s core strengths of developing complex strategies and establishing specific priorities are keys to his ability to provide expert advisory leadership to clients looking to him for guidance. His expertise at defining objectives and conducting in-depth research also serves him well in this capacity. Chris questions frequently and thoroughly, initiates innovation, and improvises solutions – all valuable skills for leading our Advisory Services practice. Chris holds several industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT), and provisional ISO 27001 Auditor.

-

Presentation: "Threat Modeling - The First Step in Secure Application Development"

Video of April's Presentation, Threat Modeling - The First Step in Secure Application Development, is available HERE

Abstract: Application security issues continue to be a growing concern for businesses large and small. In fact, many people would be surprised to find that some of the most popular mobile apps downloaded are vulnerable to issues found in the OWASP Mobile Top 10 list of common vulnerabilities.

To address these issues security needs to be integrated into the software development life cycle (SDLC) used by the developers. When developing an application in a secure manner threat modeling is an important but often forgotten first step.

This talk will start out an overview of where to integrate security into the SDLC process. The remainder of the talk will focus on the threat modeling portion of the SecSDLC. During this stage the OWASP Mobile Threat Model will be introduced. To provide real world examples vulnerabilities found in many of the top 25 downloaded apps found in the Apple App Store and Google Play will be covered.

Speaker Bios: Matt Neely is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm. At SecureState Matt leads the Research and Innovation team which focuses on imagining, researching and developing methodologies and tools that will solve industry related issues. In addition to Matt’s technical background, his strong understanding of business processes and organizational structure allow him to meet the security needs of the business world. Matt is a regular speaker at various business and security user groups and conferences including Black Hat, Defcon, THOTCON and ShmooCon. Matt recently published the book Radio Reconnaissance in Penetration Testing.

Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.

-

Presentation: Reverse Engineering .NET and Java

Abstract: Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. Enjoy a demo filled session on how easy it is to extract information from virtually any .NET or Java application.

Speaker Bio: Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.

-

Presentation:“Ninja Developers: Application Security Testing and Your SDLC.”'''

Abstract: The security of enterprise software is one of the key risks organizations can start to control today. As new applications are developed and legacy software is updated, incorporating a measure of security testing can be one of the most critical ways to positively impact an organizations security posture. To properly validate the security of enterprise applications a 3rd party penetration test or assessment may be enlisted - but the cost of testing each application quickly makes this impractical. This situation presents a challenging problem.

Kevin Johnson will explain how your development staff can incorporate techniques distilled from years of experience into your organization's development and release methodology. Whether you're using Agile, RUP or Google programming, these tips and tricks will enable your developers to produce higher quality, more secure code right from the start. Kevin will reveal some of the secrets of the masters learned from experience and industry leadership over the past decade - and show you how you can insert security into your software development lifecycle with minimal disruption and maximum effectiveness.

Speaker Bio: Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.

-

Chapter Meetings
To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Our chapter is sponsored by SecureState.

Cleveland OWASP Chapter Leaders
The chapter leader is [mailto:kstasiak@securestate.com Ken Stasiak]