Washington DC Archives

Meeting: March 23rd

March Meeting Announcement

Our next meeting is on Thursday March 23rd at 1800 hours in the offices of Aspect Security.

This is going to be a technical meeting focusing on AJAX Security.

In case you weren't aware, AJAX is a clever use of existing technologies to provide richer interfaces on the web (think Google Maps). It's growing in popularity and "buzz", so be sure to make this meeting and learn all you can about it.

If you have some AJAX science you'd like to drop on us, then email me directly at mfisher at spidynamics dot com

The Agenda:


 * 1) Opening, introductions
 * 2) Presentation by Rick Pries: An introduction to AJAX
 * 3) Overview and Review of the new OWASP AJAX Security Guide
 * 4) BoF discussion on AJAX and AJAX security
 * 5) Everything Else: Current Events, OWASP news, Industry News, Recent Hacks in the News, Closing, etc.

Food:

As usual, geek food will be provided. This usually means pizza and soda.

Getting there

Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:

From I-95:


 * Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
 * Take the Broken Land Parkway exit
 * Turn left off the ramp onto Broken Land Parkway
 * Turn left at the light onto Guilford Road (0.5 miles)

After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]

We're on the third floor in Suite 300

Unfortunately being out in the far 'burbs there is very limited public transport. If you need help getting to the meeting, try emailing the list and asking for a lift.

There are two MARC stations within a twenty minute drive, and the MTA contracted commuter busses drop off within 2 miles of the offices.

Wireless:

I am please to announce that we may just have wireless access for the meeting. No promises, but if you're the type who likes to look stuff up realtime then you may want to bring the laptop.

If we *are* lucky to enough to get wireless access, there will be a serious "no playing around" policy in place, and anyone breaking it will be kick/banned for life, y'all hear ?

December Meeting Notes

[Note: there was no meeting in November due to the holiday crunch. We decided to hold just one meeting in December].

Greetings from the Northern side of the Beltway. I wanted to send out a note to everyone letting them know how great the meeting was last night. The turn out was the perfect size for some "fireside chats".... It was some of the most technical conversation I've had in a long time that didn't involve an instant messenging client.

First of all, Thanks again to the ever-generous Aspect Security whom provided not only meeting space, but pizza and a chaperone as well. I'm glad to say that Chuck was there too .. Chuck is one of our most highly technical meetings, and shows up every time, on time.

For those of you who didn't make it, here's what we discussed. Note that I said *discussed*; not presentations. The smaller size of this meeting really afforded some great technical conversation and the loose interactive format was spectacular. If you missed it , well then you missed out.


 * 1) Susan Suskin gave us her thoughts on the AppSec conference for those you who missed the conference. Apparently the majority of the conference rocked, except for some lam3r presentation on web application worms (mine).
 * 2) NIST's SAMATE project. This is a government funded project that attempts to a) gain serious expertise in app sec to the point of being able to 2) define key performance capabilities of app sec tools, 3) define metrics for those capabilities, 4) create test environments against those metrics, and then 5) evaluate and report on all app sec tools. Discussion of this spun off of the discussion of the conference.
 * 3) **The recent GMail hack**. This was really well done (props Andre ) . Instead of doing a *presentation* on it, shots from the original 'explanation' site was passed around and we all deciphered it together, making a true learning and discussion opportunity. Unfortunately this also mitigated our ability to mock his lamer slides, but I secretly mocked his lamer xeroxing capabilities. I'm just kidding of course: Andre xerox's like a champ. I think he's certified in it or something.
 * 4) **A Tutorial Walk-Through of SQL Injection and Blind SQL Injection** along with *nasty evasive destructive SQL Injections*, followed by the Web App Sec comedy hour. Those of you who missed the AppSec conference and also missed the meeting last night missed all the humour. Plus, you'll never understand how astute Donald Rumsfeld is with input validation. [ If you   this far, then you get an extra slice of pizza next meeting ]. My next presentation will be stone-cold serious, but equally lame. My presentations should improve once I finish my PowerPoint certification study class.
 * 5) ShmooCon ! The coolest conference you'll find in the area. Be there are be square. http://www.shmoocon.org/ If you are already registered for the conference and aren't staying at the Wardman,, then please consider booking a room - they need this to lock in the hotel for next year. I'm local, and I have a room !
 * 6) **AJAX** - what it is, what is isn't, who's using it, how it works, and the security implications of it. We all agreed that none of us know enough about it and we're looking for someone with some real expertise to educate us on it. I for one am willing to chip in some bucks for a serious education on it. If we all chipped in, we may be able to get someone to give us a couple hours of tutorial on it. Thoughts ?

Next Meeting:

For our next gig, we're trying to get none other than a Special Agent from the Federal Bureau of Investigations to talk to us about the real world legal and prosecutorial environment in relations to cyber intrusions. We will also discuss the latest and greatest hacks, vulns and exploit techniques.

We'd like to see if there's a way to get internet access for the attendees as well. For instance, last night we really could have used a Spanish L33t to English L33t Dictionary while deciphering the Gmail hack. It would be great for doing quick googles, demo's etc. If there are any ideas on how we could secure some wireless that would not place us on the host's network, then please bring it. Netstumbling the office doesn't count.

So now you know, and knowing's half the battle.

- Matt

Tuesday October 25th OWASP Meeting Agenda

The next OWASP DC chapter meeting will be held Tuesday, October 25th at 6pm. The meeting will be held in Aspect Security's office in Columbia MD.


 * Aspect Security, Inc.
 * 9175 Guilford Road, Suite 300
 * Columbia, MD 21046-2565
 * Main: 301-604-4882
 * Fax: 443.583.0772

Directions: http://www.aspectsecurity.com/contact.html

Meeting Agenda 6:00pm – Initial Meeting kickoff 6:30pm – Special Guest Presentation (Steve Elky, see below for more information) 7:15pm – Pizza / General Discussion 7:30pm – Discussion on AppSecDC 2005 (Jeff Williams will be presenting) 8:15pm – Discussion on Myspace.com “worm”

Special Guest Presentation

This week we have a special guest speaker Steve Elky. Steve will be discussing the incorporation of security and Certification and Accreditation into the Software Development Life Cycle. A brief overview of the presentation is below. Certification and accreditation (C&A) mandate Certification Accreditation C&A and the Software Development Life Cycle (SDLC) Initiation Development/Acquisition Implementation Operations/Maintenance Disposal Key Roles Independent Approach to C&A Integrated Approach to C&A

About Steve Elky

Steve Elky is the Technical Director for Information Security at Software Performance Systems, a software company specializing in e-government solutions. Mr. Elky has his CISSP, CISM, ISSAP, ISSMP, MCSE, CNE, GCNT, CCNA and CCSA as well as a B.S. from the University of Baltimore. Mr. Elky acts as a security advisor to various company clients as well as helping company developers determine and meet security requirements. Mr. Elky is currently assisting the Library of Congress in the design and implementation of their security program.

Discussion and review of AppSecDC 2005

Jeff Williams will be reviewing and discussing the happenings of AppSecDC 2005 for those of us who were not able to attend the conference.

Discussion on Myspace.com “worm”

If time permits we will be reviewing the recent myspace.com “worm”, both at a technical level as well as a higher level conceptual view including “what if” scenarios.

Next Meeting - Tuesday, September 27 @6pm

Everyone is welcome to join us at our monthly chapter meeting. It's held on the fourth Tuesday of each month at 6pm. If you have any items you'd like others to talk about, or if you'd like to make a presentation, post your ideas to our mailing list.

OWASP DC-Maryland Chapter Meeting

The Open Web Application Security Project, DC-Maryland Chapter holds meetings on the fourth Tuesday of each month.

LOCATION:

SOURCEfire 9770 Patuxent Woods Drive Columbia, MD (Meeting may be in rear building, 9780.)

AGENDA:

The agenda for this month's meeting is:


 * Meet & Greet(6pm)
 * PIZZA
 * Group Presentation (7pm)
 * Jeff Williams presents the OWASP Guide 2.0
 * Top Ten feedback survey - Help us test the survey before it's used at the October OWASP conference.

See you there!

Meeting Notes - 7/19/05

At the July 19th meeting, the DC-Maryland chapter took on the topic of the "broken top-ten". We spent 2 and a half hours and digressed many times. Often getting lost in the weeds. We did have some useful ideas (I do apologize to the rest of the chapter as these thoughts are largely influenced by my opinions -ed tracy).

After discussing the problems with the many uses of the top ten, we asked what does the industry need. The industry needs awareness and guidance. These are two different things. We will admit it has been great for awareness, aka marketing. And, a concern of changing the top ten is given: a radical change in the top ten is likely to diminish its reputation and its effectiveness at raising awareness.

Now back to guidance (the other thing the industry needs)...The top ten is being used for education, security review checklist, design/implementation guide, etc. Well, the industry needs these things in very concise form. We should give them that. OWASP should produce these (I know some of it's been produced al y). These shouldn't be top tens or marketed as top tens, as ten is not going to cover everything and having ten top-tens is silly.

The key is to put a big disclaimer in The top ten that advises people not to use it for review checklist, design guide, etc. The disclaimer should go on to point people in the right direction for guidance for each of those tasks. We believe the top ten should warn people that it's not fit for those other tasks. Otherwise, they think it is and that creates "FUD."

Training Session Notes - 6/7/05

We held a training session for web app security in early June. About 15 people trickled in at all hours.

Thanks Aspect Security, for providing installation CDs with WebGoat, WebScarab, and Paros.

As a group, we did some of the WebGoat exercises using the WebScarab application proxy.

Thanks to Chuck for demonstrating bean scripting in WebScarab. It's used to automate testing.

Thanks to Matt Fisher for demonstrating Spi Dynamics' WebInspect and its web proxy capabilities.

The session was held at:


 * SOURCEfire
 * 9770 Patuxent Woods Drive
 * Columbia, MD

Meeting Notes - 5/24/05

Thanks to Weilin Zhong for running this meeting.

Weilin led a discussion about security for Web Services. As of mid-august, someone is still trying to sanitize the presentation she gave so that it can be published here.

The meeting was held at:


 * SOURCEfire
 * 9770 Patuxent Woods Drive
 * Columbia, MD

Meeting Notes - 4/26/05

Thanks to Bruce Potter for discussing a comparison of secure development on different operating systems.


 * App Sec News
 * Sorry, this month's notes are lost.

The meeting was held at:


 * SOURCEfire
 * 9770 Patuxent Woods Drive
 * Columbia, MD

Meeting Notes - 3/22/05

Thanks again to Aspect for providing pizza!


 * App Sec News
 * SHA-1 defrocked (http://www.financialcryptography.com/mt/archives/000355.html)
 * XSS Proxy tool described by Andre Ludwig (http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt)
 * Takes XSS vulnerability and exploits the hell out of it
 * Potential demonstration in the future
 * Ethics Discussion
 * Harvard applicants rejected for "hacking" application website (http://www.pcworld.com/news/article/0,aid,119938,00.asp)
 * Everyone was surprised at the many different opinions of culpability people had
 * Vulnerability Sharing Clubs like this one: http://www.immunitysec.com/services-sharing.shtml
 * Chapter Direction Discussion, Presentation Ideas
 * Are we advancing webappsec, teaching it, or both? Possible worksessions at future meetings to allow both to coexist
 * Inno Eroraha suggested cross-polinating with other focus groups in the DC area, ideas?
 * Andre Ludwig suggested a demo on the XSS Proxy tool, dates?
 * Matt Fisher suggested revisiting the Secure Model Architecture discussion, volunteers to get this started?
 * Matt Fisher suggested Absinthe and other SQL testing tools demonstration, dates?
 * Joe Bui suggested an outreach session held in DC to reach the government audience. Joe is checking for space availability at his office downtown.
 * Several people suggested having a Northern VA meeting. That was countered with the idea of an additional chapter. If someone in VA (or any other area near DC) would like to move one of our meetings to VA, please let me know. I think it's a good idea.
 * Penetration Testing Lab
 * Introduced the OWASP Penetration Testing Checklist (http://www.owasp.org/documentation/testing/application.html)
 * Introduced WebScarab (http://www.owasp.org/software/webscarab.html)
 * Introduced WebGoat (http://www.owasp.org/software/webgoat.html)
 * Gil Prine and Jeff Williams recommended the book, "Innocent Code" by Sverre H. Huseby

This meeting was held at:


 * Aspect Security
 * 9175 Guilford Rd
 * Columbia, MD

Meeting Notes - 2/22/05

No meeting this month due to chapter organizers being out of town. See you next month!

Meeting Notes - 1/25/05

This month's meeting saw our biggest turnout yet, with over 20 attendees. Thanks to everyone for coming, thanks to [mailto:dave.wichers@owasp.org Dave Wichers] for his presentation, and thanks to Aspect for providing pizza, soda and snacks!

WebScarab and WebGoat presentation by Dave Wichers


 * WebScarab, written by [mailto:rogan@users.sourceforge.net Rogan Dawes] and donated to OWASP, has been around about five years in one form or another (please let Rogan know if you use it!)
 * Current version at http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
 * Includes a man-in-the-middle proxy, HTTP request/response editor, filtering traffic logger, session ID analyzer, passive web spider, automatic response modifier, encoder/decoder/hasher, and more; it’s also scriptable with Java Beanshell
 * Dave took us through several of the WebGoat lessons using WebScarab to manipulate traffic and explained common vulnerabilities like cross-site scripting
 * We were showed how to use WebScarab to intercept browser requests and change it before sending it to the server
 * Discussed some authentication and session management methods such as HTTP Basic Auth (bad), Tomcat JSESSIONID (good), using SSL only for the login (bad), etc.
 * WebScarab will point out which pages on your site set cookies
 * It will show you both raw and formatted HTTP requests and responses and show you a hex editor-like view of binary data such as images

General Discussion


 * Discussed the dilemma of accidentally finding a vulnerability on a public site...do you disclose or not? Will they think you’re a cracker or a saint...or just ignore you?
 * Discussed what other tools people use, commercial and free: Appscan, WebInspect, Sleuth, Nstealth, Achilles, Odysseus, Paros, etc. Some limited use of both the commercial and free scanning tools was identified.
 * Discussed web application "firewalls". No one in the group indicated they were using any of these products.
 * DISA has a checklist for application security (called the Application Security Checklist) at: http://csrc.nist.gov/pcig/cig.html, and NIST is working on the FISMA guidelines, but until there’s a federal regulation on secure development it will be hard to convince them to (pay to) do it
 * Discussed the conundrum of developers having no motivation to think security; mentioned putting security requirements in the business/software requirements; mentioned the OWASP secure software contract annex (http://www.owasp.org/docroot/owasp/misc/contract.doc)
 * Discussed the new application code scanning tools, Ounce Lab's Prexis, Fortfy, and Klocwork were all mentioned. Some members had received briefings on them but no significant use was discussed.
 * Since the meeting, some articles about these tools have been identified and are included here for reference:
 * Here's a recent (Jan 2005) article about Fortify: http://www.infoworld.com/article/05/01/14/03TCfortify_1.html
 * Here's an older (Jul 2004) article about a previous release of Ounce's Prexis: http://www.sdtimes.com/news/106/story12.htm
 * A summary of mostly open source application security code analysis tools is available here: http://sardonix.org/Auditing_Resources.html
 * A general article about the emerging web app security capabilities: "Emerging web app security services and products bring source code vulnerabilities to light" http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art975,00.html
 * And in the same Information Security mag article is a summary chart of various product and service vendors in the space: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art978,00.html
 * The Vendors' pages for these products are at:
 * http://www.ouncelabs.com/prexis_engine.html
 * http://www.fortifysoftware.com/products/suite/
 * http://www.klocwork.com/products/inspect.asp

Note: OWASP is not endorsing these products in any way. This information is simply provided for the interest of the members of the DC Chapter.

This meeting was held at:


 * Aspect Security
 * 9175 Guilford Rd
 * Columbia, MD

Meeting Notes - 12/28/04

No meeting this month due to the holidays. Happy holidays!

Meeting Notes - 11/23/04

This month's meeting was again held in the first floor conference room at Aspect Security, the chapter's sponsor. A couple "regulars" couldn't make it due to the holiday but it was still well-attended.

IMPORTANT: Future meetings will continue to be on the fourth Tuesday of the month--so the next meeting will be on December 28, again at 6pm. As long as Aspect can reserve the conference room for us, we'll continue meeting there.

Minutes: A slightly smaller group allowed us to keep discussion on topic more easily this month.


 * GEMS Demo: Demonstration of the insecurity of Diebold's General Election Management System (GEMS). See http://www.equalccw.com/dieboldtestnotes.html for more details.
 * DropMyRights: Discussed use of dropmyrights.exe when you're running as administrator but want to run your email and browser         with lower privileges. Just create a shortcut that contains "C:\Program Files\dropmyrights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" and use that instead of directly invoking the browser. See http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp for the tool and a short article.
 * OWASP Secure Software Contract Annex: Jeff Williams prepared a draft of this document as a starting point for helping people write software development contracts that include security. We discussed how this contract emphasizes the lifecycle steps, whereas the Ounce Labs version emphasizes specific vulnerabilities. We also discussed the fact that the contract includes "requirements for the requirements" instead of trying to cover everything. The document needs more work on the "teeth," i.e. how to ensure that each element is specific enough to audit. Also, it needs some more work on including risk-related activities before the requirements. The plan is to incorporate a few comments, get approval from the OWASP-Leaders, send it out to WebAppSec and stand up an OWASP project to maintain the document.
 * The OWASP Mission: The contract discussion led into questions about OWASP's constituency and how we are serving them. One view is that OWASP serves developers and the contract effort is not exactly on target. The other view we discussed is that OWASP is focused on the problem of insecure software, and it should do whatever is necessary to raise awareness of the issue. We also discussed OWASP's role as a platform for the application security community. Is OWASP an "if you build it, they will come" model?
 * Open Letter and Requirements Project: We discussed the Open Letter and how it looks like the various product vendors will be working with OWASP to produce a strong list of requirements for all of web application security.
 * Reference Architectures: We discussed the concept for this project again, and examined Microsoft's Improving Web Application Security (http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/threatcounter.asp). While an impressive effort, it seems like there is a need for platform independent documentation that covers the threat, requirements, and architecture levels, but doesn't go into the source code level.
 * J2EE Filters: Jeff gave a bit of background on how J2EE Filters works. Anil pointed out that this is very similar to how HTTP Handlers work in the .NET environment. We then discussed the types of things that J2EE Filters can do. Jeff showed how to write filters that implement a request rate throttle, an input sanitizer, a certificate validator, an SSL-only verifier, and several other functions. Some ideas raised by the group included a logging filter and a filter to verify that responses with set-cookie headers should only be sent over SSL.

This meeting was held at:


 * Aspect Security
 * 9175 Guilford Rd
 * Columbia, MD

Meeting Notes - 10/28/04

This month we decided to meet in a conference room at Aspect Security, the chapter's sponsor. Aspect was generous enough to provide sodas, chips, and the most delicious brownies anyone ever tasted. Thanks!

IMPORTANT: Future meetings will be on the fourth Tuesday of the month--so the next meeting will be on November 23, again at 6pm. As long as Aspect can reserve the conference room for us, we'll meet there again.

Minutes: We tried to keep the discussion on three main topics: whitepaper topics, a concept for a "webappsec dashboard," and J2EE filters.


 * Whitepaper topics: Jeff has a list of subjects he'd really like to  whitepapers about, but doesn't have time to write about himself. If anyone would like to volunteer to write a whitepaper to be posted on the OWASP site, [mailto:jeff.williams@owasp.org email Jeff]. Some of the topics that sparked a lot of discussion and interest were:
 * The asymmetric/broken market for security: Consumers can't determine if software is secure so they won't pay more for the claim of security; producers can't charge more for more secure software so they don't make it more secure. How do we get vendors to write secure code? How about for libraries--are the circumstances different? A related but possibly separate topic is, who has the burden of proof--the developer to prove software's secure, or the consumer to prove it's insecure?
 * Secure web app architectures: How do you draw security or secure web app architectures? We're not so good at telling customers where to do security things in the data flow and n-tier diagrams. Can we do this with UML? Data flow diagrams? How about a "reference architecture" for authentication as an example? This may turn out to be a Chapter project.
 * How to decide what to fix first: Is there a quick and easy way for a company with a large number of web apps to determine where they should begin with assessments? If they don't know about any vulnerabilities in any sites, which do they look at first? Maybe we can come up with a short questionnaire for each web app to risk rank them relatively, in the style of The Joel Test. This may also become a Chapter project.
 * Mechanisms, vulnerabilities, and threat models: How do people threat-model attacks? Do they even do it? Could we create a standard suite of threat models for any generic web app?
 * Webappsec requirements: Are people putting security requirements into their business requirements for projects involving web apps? Can we create a standard list of security requirements people can paste in to their project docs?
 * Webappsec dashboard: The concern is that CISOs have no way to get their arms around the state of web app security in their environment. They need a sort of dashboard where they can see metrics and statistics about all their web apps all in one place. Something like this may have to be a tool/software, and OWASP really isn't in the business of writing tools/software.
 * J2EE filters: We didn't have time to discuss this but attendees were interested so it will be on the agenda for the next meeting. Jeff quickly demonstrated a tool to analyze JAR files and show what calls they make.
 * General discussion: More and more Local Chapters are springing up--what kinds of things can chapters contribute? What should they be expected to contribute?

This meeting was held at:


 * Aspect Security
 * 9175 Guilford Rd
 * Columbia, MD

Meeting Notes - 9/30/04

A good time was had by all.

IMPORTANT: Future meetings will be on the last Thursday of the month--so the next meeting will be on October 28, again at 6pm. If anyone has a good suggestion about where to meet, please send it to the list.

Minutes: None recorded.

This meeting was held at:


 * Rocky Run Tap & Grill
 * 6480 Dobbin Center Way
 * Columbia, MD

Meeting Notes - 8/25/04

Thanks to everyone who showed up last night to the first OWASP Washington Local Chapter meeting. It was great to finally put some faces to names, meet some local application security folks, and the Guinness was nice too!

IMPORTANT: Meetings will be on the last Wednesday of the month--so the next meeting will be on September 29, again at 6pm. This time we're going to meet in Columbia, MD at a place to be determined soon. If anyone has a good suggestion about where to meet, please send it to the list.

Minutes: We had some wide-ranging discussions that touched on scanning, brute-force attacks, validation, web app firewalls, and new projects for OWASP.


 * Brute force attacks: We discussed some schemes for handling brute force attacks on websites, some techniques for making a site hard to scan (and why some scanners don't care), and we discussed the combinatorics of generating productive password lists. We also got a demo of Matt Fisher's password generation utility.
 * OWASP and awareness: We had a long discussion about things that OWASP can do to help raise awareness about web application security. Some promising approaches included making some webinars and offering them on the website, and providing more practical stuff (tools, libraries, templates) and not focusing on the academic.
 * OWASP image: We discussed some ways that OWASP could build on the "platform" provided by the new portal. We could move the webappsec list to OWASP from sourceforge, maybe create some different lists (newbie, advanced, SQL injection, etc.). We could create some discussion forums.
 * Metrics: We talked about the new metrics project and what kinds of metrics would be the most useful to the appsec community.
 * Promoting adoption: There were some interesting ideas about things OWASP could do to advance the adoption of good appsec practices. One was to get some buy-in from the FBI (a la SANS) or another high-power agency. Matt Chalmers and Chris Burton are going to pursue a few leads to see if there's interest.

This meeting was held at:


 * Mayorga Cafe
 * 8040 Georgia Av
 * Silver Spring, MD