Ottawa

Your Local Chapter
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:joel.hebert@opulentasp.com Joel] or tweet at us owasp_ottawa.

Hope to see you at a meeting soon.

DATE CHANGED: ROP It Like It's Hot: A 101 on BOFs, ROPs, and Shellcode Development on Linux
Who

Nadeem Douba

What

To a normal human, hacking things like browsers and software seems like black voodoo magic. Even people in IT security struggle with the basic understanding of how a buffer overflow works. This workshop aims to demystify the art of exploiting vulnerabilities in binary software and equips you with the tools to pwn software on your own! We'll cover the following topics:

1. A brief introduction to Assembly

2. A brief overview of the Linux Stack

3. Our Toolkit for Exploit Development

4. Controlling the Instruction Pointer
 * Classic BOF (no strings attached)
 * ROP till' you drop (Defeating NX)
 * Where am I? (Defeating ASLR)
 * Silence the Canary (Defeating Stack Canaries)

5. Advanced Topics to Research

Students are expected to bring a laptop as this workshop is hands-on. The following tools/software is required:


 * A VMWare image of 32-bit Kali Linux (download: http://cdimage.kali.org/kali-1.0.9a/kali-linux-1.0.9a-i386.iso)
 * PEDA (https://github.com/longld/peda)- Metasploit (apt-get install metasploit)- Shelln00b (apt-get install shellnoob)- ROPGadget (git clone https://github.com/0vercl0k/rp)
 * IDA Demo 6.6 for Linux (http://out7.hex-rays.com/files/idademo66_linux.tgz)

Students are encouraged to work in groups so encourage your friends to come along!

WARNING: We are in no way responsible for any hair loss during the course of this workshop. Successfully exploiting software may result in unusual happy dance behaviour.

Where

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

''Find the 100 Queen Street Building, Take the elevator to the 5th floor. Be there before 6:00 PM as the elevators stop working then.''

When (NEW DATE)

Tuesday, December 2nd, 2014 from 5:30PM to 7:30PM

Registration

Register for free: here

= Upcoming Event Ideas = We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our Twitter account.
 * N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)
 * Secure Code review
 * (ISC)2 CSSLP introduction
 * Metasploit introduction
 * Web Application Forensics
 * xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
 * HTML5 - What's new for security specially for Offline Applications
 * Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
 * ASP.NET MVC Security for WebForms Developers
 * Hack proofing your web application by using reverse engineering
 * Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =

September 2014
Title:  Cloud Computing – Security and Interoperability Perspectives

What Many organizations are evaluating and migrating toward cloud computing solutions. In 2013, some the key challenges pertain to security and interoperability. Open cloud standards can help manage risks, while fostering efficient solution delivery.

Steven Woodward shares updates from numerous international cloud standards related organizations. In Canada, he leads several of the cloud computing initiatives in both the private and public sectors. This includes being one of the founding board members of the Cloud Security Alliance Canadian Chapter.

Steven describes key cloud ecosystems models; highlighting where security considerations fit, along with different perspectives on interoperability. Several real-life scenarios will be used, highlighting cloud concepts, security, interoperability and the impacts these can have on commitments (functionality, costs, time-to-value and quality). Service Agreements and Service Level Agreements will also be addressed to identify where you may find security and interoperability considerations specified in the contracts.

Who Steven Woodward, CEO, Cloud Perspectives

August 2014
Title: Social Engineering - ASP.Net Defense Systems

What Social Engineering from the ground up. From creation of the attack vectors in the Social Engineering Toolkit, to execution, to defense in ASP.Net. We shall oversee what defense mechanisms or techniques exist to defend against certain Social Engineering Attacks.

The take away: ASP.Net Techniques and modules, SET Experience and techniques.

Who Joel Hebert - MVP

Joel Hebert is a Software Architect who resides in Ottawa. He is passionate about Security and Architecture. He is a seven time ASP.Net MVP and is one of the User Group Leaders in Ottawa. He would like to share his knowledge of Social Engineering, Web Application Defences and Continuous Audit with you to allow you to think about the modern attack vectors that are present.

June 2014
Title: Another Bug? Secure Software Development Lifecycle

What As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

Who Sean Wilson from CBN will be presenting on Secure Software Development.

May 2014
Title:Gone in 60 Milliseconds: Mobile devices, free WiFi and your data

What Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

Who Derrick Webber from CGI will be presenting on mobile device security.

September 2013
Title:What's Hiding in Your Software Components?

What Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

Who Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

June 2013
Title:China: All up in your business - Annoying Persistent Threat edition

What For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems. The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit! This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

Who Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

Slides Slides Video Demo

May 2013
Title: Ottawa IT Camp 2013

What Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

Slides Secure Code Review for .NET Conference presentations and code

January 2013
Title: XML Attack Surface

What Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

Who Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

Slides Download Here

December 2012
Title: Sploitego - Maltego's (Local) Partner in Crime

What Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'. Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories. Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

Who Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

Slides Download Here

N00bs Night: Secure Code Review
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

What During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

Who The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

May 2012
Title: OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

Who:The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

When: The event will start at 6PM on May 3, 2012.Please RSVP here

Where: Shopify have kindly offered the board room of their brand new location for the event.

Speaker Notes: Download Here

December 12, 2011
Location: Bell Canada - 160 Elgin St, Ottawa

Title: n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

Who: all skill levels are welcome (especially n00bs)

When: December 12 from 6:00pm - 9:00pm (open at 5:30)

RSVP: http://n00bs-night.eventbrite.com/

September 27th, 2011
Location: Shopify - 61a York St (Above Tucker's Marketplace)

Speaker Notes: Download Here

Microsoft Silverlight Security - A Hacker's Perspective

Abstract

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness &amp; interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo &amp; Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

Speakers:

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

May, Thursday 12th 2011
Location: Bell - 160 Elgin St, Ottawa Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack.

About The Speaker

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private &amp; public sectors &amp; specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants &amp; contributions fraud, corruption investigations &amp; the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence &amp; compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) &amp; a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

About The Speaker David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security &amp; Privacy. His current obsession is building Subgraph, his information security startup in Montréal.

March, Thursday 10th 2011
Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

More Previous Meetings

 * September 10th, 2009 - Justin Foster - Speaker Notes: Download Here
 * April 6th, 2009 - Rafal Los - Speaker Notes: Download Here
 * July 16th, 2008 - John Linehan - Speaker Notes: Download Here
 * November 28th, 2007 - Eric Klien - Make my day

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues]