Toronto

The mailing list archive can be accessed from here.

Upcoming Meetings
 Wednesday April 8th 2009, 6:00-8:00 PM EST  at D&T, 4-179B, 121 King Street West, Toronto.

 Topic:  A Laugh RIAt – Rich Internet Application Security

 Speaker:  Rafal M. Los

 Description:  Rich Internet Applications [RIA] are popping up everywhere! Enterprises and boutique online shops alike are rushing to adopt these technologies without really thinking of the implications of moving pseudo-server functionality to the user’s desktop and browser. Hacking these applications has now moved from the challenge of compromising the server, to the significantly smaller challenge of compromising the client. You’ll be able to witness (and try!) first-hand how to manipulate an AJAX-rich web application you or your colleagues probably use many times; as well as see and understand how breaking down a Flash binary object (SWF file) isn’t difficult. These types of applications are now treasure-troves of goodies… don’t miss out on the simple ways you can security test these technologies on your desktop today!

 Future Talks:   May:  Douglas Simpson, Cenzic  Jun:  Jamie Gamble, Security Compass  Jul:  Jason Lam,  Aug: </B> Joe Bates  Sep: </B> Tyler Reguly, nCircle

We are looking for speakers, if you are interested in speaking on security topics please email [mailto:nish@securitycompass.com Nish Bhalla]

Upcoming Meetings November 13th 2008
Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: November 13th 2008, 6:00-7:30 PM EST

Title: Web Application Security and the PA-DSS

Description: The Payment Card Industry's (PCI) Payment Application Data Security Standards (PA-DSS) version 1.1 was released in April 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed “as is”. This discussion will provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Whether you are a web application developer, tester, vendor or just interested in PCI and Payment Applications, this talk will have a message for you.

Presenter: A M Westgate M.Sc., B.Ed., CISSP, QSA, PA-QSA

BIO: A M brings a range of experience as a security systems analyst, a software engineer and as an information security instructor. She has participated in PCI Compliance engagements and PCI gap assessments. In addition, she has been the primary consultant on PA-DSS Validation, PA gap assessments and remediation engagements. A M has over 5 years experience in security software engineering, and has worked in Canada, USA, Ireland and England. She is a confident speaker, and a part time instructor of the CISSP preparation course in the continuing education department at a local university.

Meetings August 14th 2008
Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> August 14th 2008, 6:00-7:30 PM EST

Title:</B> An Introduction To Reverse Engineering Malware

Session Abstract:</B> This talk will cover the basics of setting up an environment to reverse engineer malware, and an introduction to some tools and techniques that can be used to determine what exactly that bit of unknown, potentially hostile code does. While this is an introductory talk, we'll definitely cover more than "run strings on the binary and see what you get!"

Presenters:</B> Seth Hardy, MessageLabs Inc.

BIO:</B> Seth Hardy recently moved to Toronto to do reverse engineering work for MessageLabs, as part of their antivirus research and response group. Before that, he worked mostly in the areas of vulnerability research and cryptography. In his spare time, Seth likes to work on community-building projects both online and off. He currently holds the GIAC GREM certification, and should have the CISSP before this presentation; if not, feel free to mock him mercilessly for it.

Meetings July 16th 2008
Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> July 16th 2008, 6:00-7:30 PM EST

Title:</B> Business Logic Flaws

Session Abstract:</B> How they put your Websites at Risk Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can't identify them, IDS can't detect them, and Web application firewalls can't defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.The presentation will provide real-world examples of how pernicious and dangerous business logic flaws are to the security of a website. We'll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Presenters:</B> Trey Ford, Director, Solutions Architecture, WhiteHat Security, Inc.

BIO:</B> Trey Ford is the Director of Solutions Architecture at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website security programs. Mr. Ford also spearheads WhiteHat's participation in the PCI Standards Council and assists customers in selecting WhiteHat services for compliance with the PCI Data Security Standard. In addition, Mr. Ford is a frequent speaker at industry events. Prior to WhiteHat, he was the Compliance Practice Lead at FishNet Security, an information security services provider based in Kansas City. Mr. Ford also founded and operated, Eclectix, a technology consultancy. He is a certified information system security professional (CISSP), a Microsoft Certified Systems Engineer, a Cisco Certified Networking Associate (CCNA), and a Payment Card Industry Qualified Data Security Professional.

Meetings June 18th 2008
Location: The next chapter meeting will be held on June 18th June at D&T, 4-179B, 121 King Street West, Toronto.

Date/Time: June 18th 2008, 6:00-7:30 PM EST

Description: Testing for certain web application vulnerabilities is tedious and time-consuming, and when combined with time constraints, full testing coverage is often not achieved. ExploitMe is a series of Open Source Firefox plugins released by Security Compass for this purpose - automated detection of XSS, SQL Injection, and access control (including the recently released HTTP verb tampering) vulnerabilities.

In this presentation Tom Aratyn and Sahba Kazerooni of Security Compass will demonstrate how the Exploit-Me series of tools can be used during penetration testing to find security vulnerabilities in real web applications.

Presenters: Tom Aratyn (Developer ExploitMe Series), Sahba Kazerooni (Security Consultant, Security Compass) [[Link title]]

May 13th 2008 Meeting
The next chapter meeting will be held on May 13th at a Different Location</B> Delta Meadowvale Resort & Conference Center, 6750 Mississauga Road, Mississauga, ON CA, Phone: 905-821-1981 Directions to the meetings

<B>Topic: </B> A Distributed Web Application Honeypot <B>Date/Time:</B> May 13th 2008, 6:00-7:00 PM EST <B>Description:</B> DShield.org has been extremely helpful in understanding network based attacks. However, over the last few years many interesting attacks target specific web application flaws which are not detected by DShield's sensor system. Collecting similar data for web applications has been challenging for a number of reasons. First of all, the data needed to understand a web application attack is much richer and a simple efficient data model as the one used by DShield will not provide sufficient details. If more detailed data, like complete requests, are collected, data privacy issues become more of a problem. Simple obfuscation or pattern replacement techniques are usually not sufficient to safeguard this information, or they will make it impossible to understand the attack. Lastly, many web application attacks use search engines to find vulnerable systems, instead of just attacking random servers. Over the next few months we plan to roll out a distributed web application honeypot. We will describe how this honeypot will be implemented to address these issues.

<B>Speaker BIO: Dr. Johannes Ullrich</B> SANS Institute As Chief Research Officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in Physics from SUNY Albany and is located in Jacksonville FL.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

22nd January 2008 Meeting
The next chapter meeting will be held on Jan 22nd at <B>20the floor, 79 Wellington Street West, Toronto, ON M5K 1B9 </B>. Directions to the meetings

<B>Topic: </B>Modern Trends in Network Fingerprinting <B>Description:</B>

<B>Speaker BIO:</B> Jay Graver and Ryan Poppa are Lead Engineers at nCircle Network Security. They specialize in interrogating Applications and Services over the network. Their years of experience have been focused on the non invasive detection of vulnerabilities.

Current Areas of research include; HTTP server analysis, graph theory, SSL library fingerprinting and unobfuscation techniques.

Based in Toronto Ontario, they hold degrees from University of Guelph and the University of Waterloo. You can find their latest posts at blog.glaciertech.ca & numerophobe.com

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Sponsorship
Many thanks to Deloitte & Touche LLP. for sponsoring the location and food for these meetings.

Speakers
We are always looking for speakers to present on their topic of choice. If you are interested please contact [mailto:nish@securitycompass.com Nish Bhalla]

OWASP Toronto Chapter Committee
The OWASP Toronto Chapter has formed a committee which would help with direction of the chapter. Deloitte & Touches' Application Security Group and Security Compass's Professional Services Group are helping lead this initiative. We are looking for additional members to expand our chapter.

Current Committe Members
Nish Bhalla (Chapter Leader) Reza Kopaee

Meetings
Everyone is welcome to join us at our chapter meetings. These meetings are held every Second Wednesday of the month. We meet at the conference room at Deloitte & Touche. Beverages and snacks are provided.

Address and Directions to the meeting are:

20th floor, the TLC Room (signs will be provided on the floor) TD Centre, TD Waterhouse Tower 79 Wellington Rd. W. Toronto

Directions to the meetings

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Past Presentations For Download
The past presentations are available for download from here. If you have any comments on the presentations please send them to us.

Basic Web Application Testing Methodology by Nish Bhalla Security Compass

Basic Web Services Security by Rohit Sethi Security Compass

Authentication Security by Hui Zhu

Identity Management Basics by Derek Browne

by Trey Ford

A Laugh RIAt – Rich Internet Application Security by Rafal M. Los