Seattle

Next Event 3 February (Wednesday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 2/3/2010 @ 6:30ish

Speakers:

Speaker: Hidetake Jo

Same Origin Policy

Presentations:

- Same Origin Policy slide deck

- Presentation on the Rendezvous toolset

Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies.

Hidetake Jo is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.

---

Speaker: Pravir Chandra

Open Software Assurance Maturity Model (OpenSAMM)

Presentation:

Slide deck can be found here

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

Previous Event 11 August (Tuesday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 8/11/2009 @ 6:30ish

Speakers:

Speaker: Anil Kumar Revuru

Slides: 

The Microsoft Anti-Cross-Site Scripting Library

The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0. In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.
 * An expanded white list that supports more languages
 * Performance improvements
 * Performance data sheets (in the online help)
 * Support for Shift_JIS encoding for mobile browsers
 * Security Runtime Engine (SRE) HTTP module
 * A sample application

Anil Kumar Revuru currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.

---

Speaker: Andre Gironda

Using ASVS with the Code Review Guide, Testing Guide, and Time Management

The OWASP Application Security Verification Standards, which defines four levels of web application security verification, lays down a framework for security architecture review. While the ASVS includes many requirements for controls, it does not suggest which tools, techniques, timeline or methodologies to utilize. The OWASP Code Review and Testing Guides provide the technical practices and suggest or hint at tools, but also lack the timeline and methodology necessary to complete an application penetration-test or SDLC integration project for proper application security hygiene.

This presentation will provide the 1000 foot view all the way down to the nitty gritty details of how to perform ASVS activities using OWASP resources, as well as some OWASP and non-OWASP tools (freeware or demoware). Example timelines for typical ASVS activities, including reports, will be discussed so that any sort of application security project can be scoped properly, delivered on-time, and within budget.

Andre Gironda is an application security specialist with a global security consulting firm providing IT security services to the Fortune 500 and financial institutions as well as U.S. and foreign governments. Prior to his current employment, Andre held a number of payment application security positions in addition to working for the largest online auction website. He is currently a leader for the Open Web Application Security Project (OWASP), where he co-produces the global OWASP News Podcast.

Previous Event 28 April (Tuesday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 4/28/2009

Speakers:

Speaker: Scott Stender

Securing our Legacy - Responding to the call to provide practical security assurance

Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult. Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance. Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame. ---

Speaker: Ashok Misra

Application Issues with encryption of PANs

There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs. Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants. He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing. Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers. Prior to working with Real Networks he built backend components for ecommerce for Amazon.com. He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit, Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.

Previous Event 23 October (Thursday)
Location: 810 Third Avenue

Seattle, WA 98104

Conference room on the first floor

Date: 10/23/2008

Time: 6:30PM

Speakers:

Speaker: Michael Eddington

Fuzzjacking!

Fuzzing is one of the hot new buzzwords in the security industry and if your clients had not already ask for it they will. This talk will introduce the subject, talk about different types of fuzzers, integration into SDL, when to fuzz and also talk a bit about the Peach Fuzzing Platform. Questions and interaction requested :)

Michael Eddington is a founding principal of Leviathan Security Group with over ten years experience in computer security, with expertise in application and network security, through threat modeling. Michael founded the security services practice for IOActive and co-founded the Security Services Center for Hewlett-Packard's services division. Michael is also an accomplished software developer, having participated in a number of open-source security development projects ranging from the Trike threat modeling conceptual framework to the Peach Fuzzer Platform.

Speaker: Chris Weber

Exploiting Unicode-enabled Software

This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.

Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products

Previous Event 12 June (Thursday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535 Date: 06/12/2008

Time: 6:30PM

Speakers:

Speaker: Taylor McKinley

Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking

Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:


 * Explain how dynamic taint propagation works.
 * Show how to retrofit an existing executable to perform dynamic taint propagation.
 * Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.
 * Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.

The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.

Taylor McKinley, Product Manager, Fortify Software

Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.

Speaker: Scott Stender

Concurrency Attacks in Web Applications

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.

This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

Previous Event 4 March (Tuesday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535 Date: 03/04/2008

Time: 6:30PM

Speakers:

Speaker: Billy Rios

Bad Sushi - Beating Phishers at Their Own Game

This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.

Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.

This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.

This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Speaker: Jon McClintock

Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.

Jon McClintock is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.

Date: 1/23/2008

Speakers:

Waqas Nazir, DigitSec

presentation

Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.

Presentation Title: Emerging threats in Web 2.0

Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).

Chris Clark, iSEC Partners

Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.

Presentation Title: Ruby on Rails Security

Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.

11/29/2007 @ 6:30PM PST - Seattle chapter meeting

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535 Date: 11/29/2007

Time: 6PM

Speakers:

Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".

Presentation Title: Hunting security bugs in your code

Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.

David E Stevens III, Senior ROI Analyst, Symplified Inc.

In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.

Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"

In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!

09/06/2007 @ 6PM PST - Seattle chapter meeting

Details: Location: Bellevue Las Margaritas 437 108th Ave NE Bellevue, WA 98004 (425) 453-0535

Time: 6 o'clock

Speakers:
 * Rob Rachwald - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain.  Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.
 * Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly?  How are developers trained to write code securely?  How are software security tools, such as dynamic and static analysis, deployed for optimal use?
 * Damon Cortesi - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus.  Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.
 * Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore.  Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.

 Update:  - Rob's slides can be downloaded from here.  Update #2:  - Damon's slides can be found here.

2/28/2007 @ 6PM PST - Seattle chapter meeting

Details:

Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)

Time: 6 o’clock.

Speakers:
 * Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:
 * Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.


 * Brad Hill (Senior Security Consultant with iSEC Partners), will be speaking on:
 * XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Past Meetings
1/8/2007 @ 6 o'clock - Seattle chapter meeting.

Details: Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/) Time: 6 o’clock.

Speakers:

Ward Spagenberg of IOActive on the topic "Unraveling PCI".

Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order. We look forward to seeing you all there!