Cincinnati

Welcome to the Cincinnati OWASP Local Chapter. The chapter leader is Marco Morana. The OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the Chapter Rules.

To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. You can also review the email archives to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Upcoming Meetings
Tuesday August 26th
 * Location / Venue Sponsor: Citibank 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537
 * For help with directions contact Citi Blue Ash help desk at (513) 979-9000 or check directions herein.
 * Please access the building from the visitor lobby. OWASP meetings are held at the "Buckeyes" lecture room.


 * Agenda
 * 12:00 - 12:15 Peer-to-Peer Networking
 * 12:15 - 12:30 OWASP Cincinnati Chapter Update
 * 12:30 - 1:30 Presentation: ESAPIJoe Combs, Staff Consultant, SEI - Cincinnati LLC
 * Security controls are central to developing secure applications, yet few development teams code them properly (if they code them at all!). The OWASP Enterprise Security API (ESAPI) provides a set of well defined interfaces for doing security "right" within your application and provides a reference implementation of these interfaces.  ESAPI handles difficult tasks such as validation, encoding, encryption, and more.  This presentation will provide a guided tour of ESAPI capabilities and recommended usage to combat the most pernicious vulnerabilities.


 * Mr. Combs is a consultant with over 11 years experience in the software development industry and cheerleader of security in the SDLC. Before consulting, he spent 8 years developing CRM applications for Convergys.  Mr. Combs holds a BS in Computer Science from the University of Cincinnati and an MS in Computer Science from Northern Kentucky University, where his studies focused on secure software engineering.


 *  RSVP is required to attend the meeting.
 * Citi guards verify that you pre-registered to the meeting by checking the RSVP list. Once you are checked and identified (please bring a proof of ID) you will be granted visitor access to the training facilities.


 * If you plan to attend the meeting please RSVP to Joe Combs

Incoming Meetings Calendar

 * September 23: The CAPTCHA Security Control Marco Morana & Scott Nusbaum
 * October 22: TBD  Blaine Wilson
 * November 25: TBD  Foundstone Consultant Presentation 


 * We look for presenters/contributors for the coming OWASP meetings. A presenter will receive a polo OWASP shirt and is entitled to become member of the local board. If you would like to present a topic, or if you wish to held the meeting at your company premises please send an email to the [mailto:marco.m.morana@gmail.com chapter leader].

July Meeting

 * Building Security Into Applications - Marco M. Morana, TISO Citigroup 
 * The presentation is available herein.


 * How you can best start a software security initiative within your organization? Typically you start to present the business case for software security in terms of cost, threats and root causes. In the case of costs, fixing vulnerabilities by patching applications while are in production is much more expensive than fixing them when the application is still on development. The solution to reduce product defect management costs is to test and fix security issues during the SDLC such as during design, development and deployment for example. Besides testing and fixing security issues in software rather then applications it is important to design and build software with security in mind that is from the start by adopting a software security methodology. Scope of the presentation is to provide organizations with a roadmap for adopting a software security intiative. Software security activities that can be build into the SDLC include use and misuse cases to elicit security requirements, threat modeling to identify flaws in design, secure coding to identify and remediate security bugs during construction, security tests during validation and secure configuration management during development and installation. Software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP provide the necessary security engineering frameworks to build secure software and manage risks in the SDLC. Within such frameworks, the software security activities such as threat modeling, secure code reviews and security testing work as checkpoints and toolgates and allow organizations to manage software security risks by gathering vulnerability metrics and process management metrics. Finally, the purpose of such metrics is to show the effectiveness of the software security initiative to the organization.

June Meeting

 * SQl Injection - Dr. James Walden, Northern Kentucky University
 * The presentation is available herein.


 * Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

 * Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup
 * The presentation is available herein.


 * CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

 * The New Face of Cybercrime Movie Premiere And Follow Up Discussion.
 * Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

Meeting Sponsor http://www.owasp.org/images/4/4b/Fortify_1.jpg


 * The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

 * Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup
 * Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software.  Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.


 * An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup
 * Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.  The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

 * OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

 * Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.


 * Webgoat and Webscarab Security Tools Use Cases - Blaine Wilson (Citigroup, TISO)


 * The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Board Members
Scope of the board is to discuss and approve local activities, meetings and plans.The board meets informally on the by-weekly basis every other Friday at 7.30 AM at Panera Bread in Blue Ash Directions

The board currently includes the following members:  
 * Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
 * Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
 * Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
 * Chairman of the Board: [mailto:wayne@quirksofart.com H. Wayne Browning]
 * Public Relations: [mailto:aerickson@lucruminc.com Andy Erickson]

About OWASP
The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership
OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.