San Antonio

Local News
OWASP San Antonio - May 20 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the May OWASP San Antonio meeting!

Note: New date is Friday, May 20 to avoid Memorial Day conflicts.

We will have a talk about Runtime Application Self-Protection (RASP).

Speaker: Kunal Anand

Bio: Kunal is the co-founder and CTO of Prevoty, a next-generation application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.

Title: Runtime Application Self-Protection (RASP) Tools

Abstract: Kunal will be discussing Runtime Application Self-Protection (RASP) and a new high-performance methodology called language theoretic security (LANGSEC). Kunal will also break down how lexers, tokenizers and parsers work, and construct an open source toolchain to analyze data and explore interactive data visualizations -- covering the challenges of modern AppSec along the way.

http://www.meetup.com/OWASP-San-Antonio/events/231044053/

OWASP San Antonio - April 29 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the April OWASP San Antonio meeting! We will have a talk about AppSec Pipelines!

Speaker: Matt Tesauro

Bio: Matt Tesauro is the a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools. He holds two degrees from Texas A&M University and several security and Linux certifications.

Title: Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better

Abstract:How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.

OWASP San Antonio - March 25 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the March OWASP San Antonio meeting! We will have a talk about giving tech talks!

Speaker: Major Hayden

Bio: Major Hayden started at Rackspace in 2006 as a Linux support technician. Over the years, he has worked in support, software development, operations, and information security roles. Major currently works with the OpenStack Private Cloud team with a focus on operations and information security. He blogs frequently on major.io and has been known use Twitter from time to time.

Title: Taming the Technical Talk

Abstract: Many technical people inevitably find themselves up against the most terrifying challenge of their careers: giving a technical talk. Talking in front of large groups of people is never easy, but it can transform the future of software projects or the careers of individuals. This nerve-wracking career catalyst can be tamed, however, through careful planning and thoughtful delivery.

During this talk, we will embark on a journey to overcome our fears and deliver high quality technical talks to small or large groups. We will cover everything from the early stages, such as choosing a topic, all the way to the day of talk itself.

http://www.meetup.com/OWASP-San-Antonio/events/228893612/

OWASP San Antonio - February 26 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the February OWASP San Antonio meeting! We will have a talk about Automated API testing!

Speaker: Matt Valdes

Bio: Matt Valdes is a Security Developer in Test on the Security and Quality Engineering team at Rackspace. Throughout his career, he has been involved in all aspects of the SDLC and is passionate about security testing, process engineering and automation.

Title: Automating Security Tests for APIs

Abstract:RESTful APIs are an increasingly common attack vector for applications. Despite this ever-present threat, open source and commercial vendor support for automatic API security scanners remains limited. With the rate at which APIs are developed, enhanced and deployed, this lack of security test automation creates a gap that at its best limits adoption, and at its worst may leave an application open to attack. To fill the gap in security testing efficiency, members of the Rackspace Quality Engineering and Security Engineering teams worked together to create an Open Source, automated API security scanner.

Syntribos is a flexible, automated scanner that provides configurable test coverage for any HTTP API. Learn how Syntribos enables you to test HTTP APIs in an automated way, helping to detect and eliminate common security vulnerabilities such as SQL injection, command injection, denial of service attacks, and more.

https://github.com/openstack/syntribos

OWASP San Antonio - January 29 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the first OWASP San Antonio meeting of 2016! We will have a talk about XPath Attacks!

Speaker: Luis Torres

Bio: Luis Torres is a security consultant with VerSprite. An avid pen tester, researcher, CTF participant, and bug bounty winner - Luis is a key consultant for VerSprite's AppSec Consulting practice where he focuses his time on client-server, cloud, web services, and fat client security testing. His recent research has been around more damaging exploits around XPath injection which he seeks to share with you today.

Title: XPath Awakens - Attacks & Impact Around XPath Injection

Abstract: XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses XML. Threat agent goals are often aim to circumvent authentication and/or access information in an unauthorized manner.

Developers today use XPaths to perform actions over XML based documents, however insecure coding practices could lead allow for injection issues to surface in web applications. Blind XPath Injection retrieves information by making true/false interrogations with web applications, however they mostly focus on retrieving current query information, skipping sensitive information on XML nodes outside of current query requests. This presentation will extend beyond these blind injection attacks and discuss how to retrieve the entire XML document, using Blind XPath Injection techniques.

OWASP San Antonio - September 18 @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the September 2015 OWASP San Antonio meeting! We will have a talk about detecting security breaches!

Speaker: Josh Sokol

Bio: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped "HTTPSCan Byte Me" talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.

Title: The Fox is in the Henhouse: Detecting a Breach Before the Damage is Done

Abstract: Your firewall is a sieve with more holes poked in it than your Grandmother's pin cushion, your IPS doesn't know a breach from a hole in the ground, and your signature-based anti-virus can't keep up with the ever changing tide of malware being hurled at you from every direction. It's time to take a deep breath and admit to ourselves that the traditional methods of keeping the bad guys out of our networks have failed us. Just over two years ago, we began focusing much of our efforts on incident detection and response. Rather than sinking our precious time and money into tools that would become obsolete before the next BlackHat, we decided to take the time to analyze our networks and got creative with different ways to find the systems that have been compromised that those other technologies couldn't detect. In this presentation, we will walk you through the analytics we are running, the tools that we are using, and the techniques that we employ to find and remediate the bad guys from our networks. Good security doesn't have to break the bank; it just has to break the mold.

OWASP San Antonio - August 28th @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the August 2015 OWASP San Antonio meeting! We will have a talk about building, sniffing and breaking Zigbee (IoT).

Speaker: David Lister

Bio: David Lister (CISSP, CASP, CCISO, CCNA, CEH, ECSA, CPT, RHCSA, Security+ ) has also been active in various roles involving systems administration, network security, incident response, penetration testing, and application security. David holds a Master's degree in Infrastructure Assurance from the University of Texas San Antonio, and is a member of the ISSA, San Antonio Hackers Anonymous, and OWASP.

Title: Building, Sniffing, and Breaking Zigbee

Abstract:This will be a shallow dive into how you can get up and running with Zigbee, what it is and what it’s used for. Also covered will be some of the known ways to break Zigbee networks, and how this relates to application security.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/224725183/

OWASP San Antonio - July 31st @ 11:30am

Denim Group 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the July 2015 OWASP San Antonio meeting! We will be having a talk about compromising Continuous Integration systems.

Speaker: Greg Anderson

Bio: Greg Anderson works for Rackspace where he helps to drive test automation and security.

Title: Is This Your Pipe? Compromising Build and Automation Pipelines

Abstract: As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when developers do CI/CD wrong? Credentials get exposed, hijacked, and re-purposed. I'll talk about how often, where, and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking secrets and how to turn someone's Jenkins Install into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via continuous integration systems.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/223970537/

OWASP San Antonio - June 26th @ 11:30am

Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the June 2015 OWASP San Antonio meeting. We will be having a talk about Continuous Integration and Continuous Deployment (CI/CD) of OpenStack.

Speaker: Michael Xin

Bio: Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael has years of experience with application security assessment, security code review and security SDLC.

Title: OpenStack Security CI/CD Way

Abstract: As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security. Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process.

In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated.

The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/223161579/

The link of the slides: http://www.slideshare.net/michaelxin2015/openstack-security-cicd-way

The links of the tools: https://github.com/stackforge/opencafe https://wiki.openstack.org/wiki/Security/Projects/Bandit

OWASP San Antonio - May 29, 2015 @ 11:30am

Denim Group - 1354 N Loop 1604 E Ste 110, San Antonio, TX

Join us for the May 2015 OWASP San Antonio meeting. We will be having a talk about Mobile Application Security Assessments.

Speaker: Dan Cornell

Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Title: Application Security Assessments By The Numbers: A Whole-Istic View

Abstract:

By analyzing the data from over 60 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today’s mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented.

Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232

http://www.meetup.com/OWASP-San-Antonio/events/222536787/

OWASP Invites You to Attend InnoTech San Antonio as our Guest

InnoTech, presented by Presidio, is San Antonio’s premiere IT and security focused conference & expo. We're celebrating eight years of education, technology and networking at this year's event and you won't want to miss it! Mark your calendars now and plan on attending!

Thursday, April 9, 2015 at the Henry B. Gonzalez Convention Center

A limited number of complimentary passes are available for InnoTech San Antonio. Please register at innotechsan.com and use the discount code that you received from your OWASP email list for complimentary admission. Includes coffee, lunch for the first 125 in line and afternoon reception.

Check out the list of speakers and technology demos by visiting http://www.innotechconferences.com/sanantonio/

OWASP San Antonio - March 20th 2015

On March 20th the OWASP San Antonio Chapter is having a FREE one day, single track, conference featuring talks about secure software development, securing the SDLC and application security testing. Whether you’re an information security professional, software developer, or just interested in computer security, anyone and everyone is welcome. We have an all-star set of speakers that will be covering all aspects of managing a security program as well as in depth testing methodologies.

Map:

http://bit.ly/owasp-map

Full Program:

http://bit.ly/owasp-program

Schedule:

9:15 - 9:30 Welcome, Sign-in, kickoff

9:30 - 10:30: Keynote, Scaling an Application Security Program, Glenn Leifheit, Principal Security Architect, Microsoft

One of the largest challenges today is the rapid change in speed of software. We will journey on the path of accelerating but maintaining security, From Small Startup to Largest Enterprise, From Waterfall to Agile. Along the way there will be lessons learned, from successes and failures. What steps can you take to bring security to the next level. Application security is not an easy profession, let’s learn together to take us all to the next level.

About Glenn: Glenn Leifheit is Principal Security Architect for Microsoft Information Technology's ACE (Assessment, Consulting and Engineering) Team. In this role he provides security advice to Microsoft internally as well as external customers. Prior to joining Microsoft, Glenn created, developed and led the application security program for FICO (Fair Isaac Corporation). He also lead FICO’s PCI program. He is also a former co-chair and current member of (ISC)2 Application Security Advisory Council where he helps evangelize for strong application security and advocates for change throughout the industry. Through Glenn's 20 year career in information technology he has focused on security, architecture, OS and middleware design, and operations along with software development. Glenn holds both a CISSP and the CSSLP certifications. He is also passionate about evangelizing security practices to the development community, engaging in over 50 conferences, users groups and code camps as a speaker or panel member. Glenn is also a founding member of TechMasters, a Toastmasters group designed to create a technical speaker community.

10:30 - 11:30: Maximizing Security with Minimal Resources, Chris Maier, Principal Architect, Rackspace

Ever wonder how to intelligently spend your security dollars on the systems that matter most? Are you faced with the common problem of " I don't have an unlimited security budget but I am required to secure all the things"? This session will present concepts, methodologies, and tooling to help you identify your critical systems, set a prescriptive value on your data assets, and rank the systems and information in a way that helps highlight where you should focus your security efforts and dollars. We will also cover how to present this information in a manner that is more business focused, and to ensure that the business understands the risk vs. reward of securing and protecting each of the assets.

About Chris: Chris Maier is a Principal Architect at Rackspace, and in his current role helps design and implement shared infrastructure systems in a secure and compliant manner. Chris has nearly 18 years of production operations experience on a variety of systems including email, identity, databases, directory servers, and a variety of applications servers. Chris has written scripts and code in Bash, VB, Java, C, C++, and a little python for many of the systems he has supported over the years. Because of the 10 plus years spent on identity and authentication systems, Chris is very cognizant of and familiar with a wide variety of security issues and security best practices. Some of Chris' previous positions have included primary DBA for a SOX & PCI compliant billing system, identity infrastructure lead engineer, hosted exchange lead engineer, infrastructure systems lead engineer, and eLearning lead engineer.

11:30 - 12:45: Lunch (provided)

12:45 - 1:45: Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn’t Suck, Josh Sokol, Information Security Program Owner, National Instruments

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.

The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities.

Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn't suck.

About Josh: Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.

1:45 - 2:45: Automating Security Tests with Selenium, Brady Vitrano, Lead Quality Engineer, Rackspace, Charles Neill, Security Engineer, Rackspace

Rackspace Quality and Security Engineers are building a framework to automate both functional testing and security testing within the browser. To learn about the basics, this presentation looks at our approach to automating functional testing and security testing for web applications. You will learn about Selenium, and how to write some tests of your own. We will also teach you how to run your test cases using a Selenium grid to speed up the testing process.

About Brady: Brady is an aspiring mad scientist.

About Charles: Charles is a Security Developer - Test II for Security Engineering team at Rackspace. He enjoys finding new vulnerabilities in everything from webapps to smart TVs.

The slides download link: https://www.owasp.org/images/4/49/Owasp_automation_talk.pptx

2:45 - 3:45: Making Security as Agile as Development: Adding DevOps and TDD to your security program, Matt Tesauro, Application Security Leader, Pearson

Software and application development are not slowing down. Is your AppSec program able to keep pace? With agile development, continuous deployment, DevOps, and Cloud the pace of change in the software industry has only increased. As as AppSec professional, you face rapidly delivered services while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.

In this talk will cover how Matt has put these practices in place at Pearson after doing similar work at Rackspace. What are the key ways to keep your AppSec program agile enough to keep up with the pace of change today. Methods will be discussed for securing infrastructure, apps, APIs and source code. Even if you are not in the DevOps, CI/CD world today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

About Matt: Matt Tesauro is the Application Security Lead Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project, a collection of application security testing tools. He holds two degrees from A&M University and several security and Linux certifications.

3:45 - 4:00: Close

OWASP San Antonio Chapter - Feb 11 2015 @ 11:30am 

Come to the first OWASP San Antonio meeting of 2015. We will be having a talk on BeEF - the Browser Exploitation Framework Project and discussing plans for the rest of 2015.

Speaker: Charles Neill

Bio: Charles is a Security Developer at Rackspace, where he does application security for products developed in-house, as well as OpenStack projects and other third-party products. He also develops tools to assist with security testing.

Title: Introduction to Cross-Site Scripting with BeEF

Abstract:

Cross-site scripting is a well-known attack vector at this point, but many people still don't understand the full risk of being vulnerable to it. BeEF is a framework that combines lots of different tools that can be useful to an attacker after finding a cross-site scripting bug in a site. The purpose of this talk is to demonstrate the potential severity of a cross-site scripting attack, leveraging BeEF to trick the user in various ways and to try to get as much useful information out of them as possible.

The slides download link: https://www.owasp.org/images/e/e1/Xss-owasp.pptx

Past Events
https://www.owasp.org/index.php/San_Antonio/pastEvents