South Florida

South florida OWASP Location Sponsor:

Local News
Note To CISSP &amp; CISA Holders: OWASP Meetings can count towards CPE Credits.

Be sure to hook up with us on the social network of your choice to recieve updates on our events!

Facebook

Twitter

LinkedIn

Wednesday, July 17th, 2013 - 6:00pm - South Florida OWASP Meeting – Great talk and networking after

Talk 1: A Security Reference Architecture for Cloud Systems

Reference architectures (RAs) are becoming useful tools to understand and build complex systems and many cloud providers and software product vendors have developed versions of them. However, until now few security reference architectures have appeared. Almost all of them use rather imprecise models and this appears to be the first attempt to define them more precisely. We propose here a Security Reference Architecture (SRA) defined using UML models and incorporating our approach to build secure systems. By SRA we mean a RA where security services have been added in appropriate places to provide some degree of security for the complete cloud environment. We use as starting point our own cloud reference architecture and we combine security patterns and misuse patterns to build a secure reference architecture. By checking if a threat, expressed as a misuse pattern, can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. We have done a systematic enumeration of cloud threats and have started building a catalog of cloud misuse patterns; with a complete catalog we can apply them systematically and use the reference architecture to find where we should add corresponding security patterns to stop them. We are also building a catalog of cloud security patterns; security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation.

Bio: Eduardo B. Fernandez is a professor in the Department of Computer Science and Engineering at Florida Atlantic University, Boca Raton, Florida. He is now a Visiting Professor at Universidad Tecnica Federico Santa María, Valparaiso, Chile. He has published numerous papers on security models, and object-oriented analysis/design, including two books on security patterns. He has lectured all over the world at both academic and industrial meetings. His current interests include software architecture, cloud computing, and security patterns. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry. More details: http://www.cse.fau.edu/~ed

[[Media:SecResearchOWASP7-2013.pdf]]

Facility Location:

NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 Knight Lecture Hall Auditorium 3301 College Ave Fort Lauderdale, FL 33314-7796

Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs

Wednesday, April 24th, 2013 - 5:00pm - South Florida OWASP Meeting – Two great talks and networking after

Join us for our April meeting where we will have two great talks. Please note that the scheduled talks are for 60 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Threat Modeling

As we focus on the threats that plaque our organizations we not only need to understand the threat but also understand the steps used by the attackers. Profiling these attacks enables threat modeling allowing yourself and your organization to understand how to successfully position yourself against threat actors and adversaries. In this session I will share some high level attack profiles or patterns and how we should look at them to successfully set your organizational course and security strategy. I will also share some detailed models which he has previously developed to help organizations successfully model for web application threats.

Bio:James Robinson is Head of Security Architecture and a Strategy Officer at Websense. His key responsibilities are internal security strategy development, innovation, and Websense Strategy. James brings more than a decade of both IT and product engineering security leadership to Websense. He has previously held senior positions with Fortune 150 and Fortune 100 companies including: Emerson Electric, Anheuser- Busch and State Farm Insurance and holds more than 10 industry certifications. Throughout his career James has delivered solutions for network architecture and application security, penetration testing, incident response, security and risk assessment, forensics and investigations and product security.

Talk 2: Adding Security to BPEL Workflows of Web Services

BPEL (Business Process Enterprise Language) is a language for web services composition and several implementations of it exist. For BPEL to be effective, it is necessary that it provides more support for security. BPEL doesn’t present any means to specify security constraints for workflows. BPEL through its activities tries to provide specific functional aspects and any non-functional aspects are expected to be addressed by other (lower-level) specifications. We present here a way to specify security requirements in BPEL. Since BPEL describes workflows, we present its activities using UML activity diagrams, where we apply a threat enumeration approach to determine the required security mechanisms to stop these threats. Our approach goes beyond BPEL and can be applied to BPMN and other business flow languages.

Bio:Ola Ajaj is a PhD candidate in the Dept. of Computer and Electrical Engineering and Computer Science at Florida Atlantic University, Boca Raton, Florida. His current interests include secure systems, web services, cloud computing, and mobile platforms. He holds a MS degree in Computer Engineering from Florida Atlantic University. While completing his education, he worked for Motorola, BlackBerry (RIM before) and IBM. He has published papers on patterns for web services standards, and he continues his PhD dissertation under Dr. Eduardo B. Fernandez supervision.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1052 Located on the 1st floor Eastside of the Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, February 27th, 2013 - 5:00pm - South Florida OWASP Meeting – One great talk and networking after

Join us for our first meeting of 2013 where we will have one great talk: The OWASP Top 10 2013 rc1!. Our event sponsor, NoVA will also be there with some important announcements

Talk: OWASP Top 10 2013 rc1

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas and provides guidance on where to go from there. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and 2010.

The latest and greatest OWASP Top 10 2013 rc1 has just been released! Come and get a first hand view of the changes to the OWASP Top 10. Make sure that you don't miss this great opportunity to start the year right!

Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization, mobile and external network tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, Nov 28, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our November meeting where we will have two great talks. Please note that the scheduled talks are for 45 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Keis Air Vulnerabilities

In this talk, the security issues found (CVE-2012-5858, CVE-2012-5859) in the default installation of the Kies Air Android application bundled with every new Samsung Galaxy S3 will be uncovered. A shell script will be released making detection of running Kies Air simple to explore while bypassing device administration to obtain phone contents or the option to crash the application at will. This is the result of private research and the findings will be publicly disclosed along with tools and a whitepaper.

Bio: Claudio J. Lacayo causes 500 response errors in web applications and is currently evangelizing the use of native code over frameworks.

Talk 2: The Story Behind the Dirt Jumper SQL Injection Whitepaper - An Analysis of DDoS C&C Vulnerabilities The team from Prolexic Technologies PLXsert will talk about their research on vulnerabilities within the Dirt Jumper DDoS botnet. This research has been featured in multiple global media outlets and made international headlines. The talk will discuss the methods, tools, and techniques that were used in the discovery of this vulnerability and the implications for the future of DDoS infrastructures. PLXsert will also discuss the latest trends, techniques, and methodologies being utilized in the DDoS threatscape.

http://arstechnica.com/security/2012/08/ddos-take-down-manual/

http://www.theregister.co.uk/2012/08/15/dirt_jumper_ddos_tool_flaw/

http://threatpost.com/en_us/blogs/researchers-find-flaw-dirt-jumper-bot-081512

http://www.csoonline.com/article/714000/popular-dirt-jumper-ddos-toolkit-riddled-with-security-flaws-research-finds

http://www.darkreading.com/vulnerability-management/167901026/security/news/240005474/prolexic-exposes-vulnerabilities-in-dirt-jumper-ddos-toolkit-family.html

http://www.xakep.ru/post/59168/ Bio: PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post-attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room TBD 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, Sept 26, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our September meeting where we will have two great talks. Please note that the scheduled talks are for 30 minutes each with a small break in between. We will have a networking event after as usual. Our event sponsor, NoVA will also be there with some important announcements

Talk 1: Application Vulnerability Assessment Risk (AVAR) Score During application vulnerability assessment a number of vulnerabilities may be discovered. Issues discovered during this assessment are given a risk score value or a rating of High, Medium, or Low; mostly based on the Common Vulnerability Scoring System (CVSS) or Common Weakness Enumeration (CWE) risk classification of known vulnerabilities. The industry application vulnerability risk classification models assign a risk level to an issue based on the impact of the specific vulnerability. They do not put into consideration the likelihood of occurrence based on known reported incidents or the impact of interdependencies between related vulnerabilities. The AVAR Score has implemented an approach that provides a holistic analysis on the risk of an application based on the interdependencies of related vulnerabilities and the probability of occurrence. Bio: An avid learner, Jummy has a degree in Engineering Physics but has always been interested in information security and she decided to make a career of it. Over the years, Jummy’s work has included application vulnerability assessments, security audits, and risk assessments for a wide variety of local, national, and international organizations. When she is not occupied with work she tries to invent new cooking recipes and she also volunteers as a mentor to young adults.

Talk 2: JSON Hijacking

JavaScript Object Notation (JSON) is a language and platform independent format for data interchange. JSON is in widespread use with a number of JSON parsers and libraries available for different languages. While some information is available for JSON Hijacking this attack is not very well understood.

Rohini Sulatycki will give an overview of this attack as well as provide a demonstration.

Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 16 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application, virtualization and external network tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA) and is the current co-chair of the South Florida OWASP chapter. She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, June 27, 2012 - 6:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our June meeting where we will have two great talks. Please note that the scheduled talks are for 30 minutes each with a small break in between. We will have a networking event after as usual.

Talk 1: Bad encryption implementations using PBKDF2 

PBKDF2 is a popular way to generate long encryption keys from human-memorable passwords and passphrases. Used properly, it can keep encrypted sensitive data safe from attackers long enough for its ultimate compromise to be almost moot (assuming the attacker doesn't lose interest and give up first). Used badly, in conjunction with poorly-implemented AES encryption, it will protect sensitive data for approximately 5 minutes against an attacker with a 2 year old laptop and a list of compromised real-world passwords obtained from popular websites.

Presenter Bio: Jeff Skubick is a security analyst with more than a decade of professional experience developing mobile and web applications for companies like Verizon, and a lifetime of recreational hacking that extends far enough back into childhood to remember what happens when you JSR to $FFD2. His second language was 6502 assembly. As a teenager, he doubled his Amiga’s RAM by soldering piggybacked chips onto the motherboard, then spent 10 minutes on the phone with Dave Haynie learning what a "slow PAL" was. In his spare time, he invalidates warranties, builds robots, and takes liberties with local building codes in the name of home automation. He will never, ever make the mistake of buying another Motorola Android phone with a locked bootloader.

Talk 2: Mobile Framework vulnerabilities

Mobile frameworks are being used for cross-platform development and to ease development efforts in producing applications for iOS/Android/Blackberry devices. In this talk we observe bad development practices and expose some issues found in open source frameworks, notably Apache Cordova (previously known as "PhoneGap").

Presenter Bio: Claudio J. Lacayo causes 500 response errors in web applications and is currently evangelizing the use of native code over frameworks.

Please vote on our new poll and let us know what future topics you would like to see presented at our meetings this year : http://www.linkedin.com/groupItem?view=&gid=2462364&type=member&item=101892186&qid=641ae738-dc10-48a0-8eaa-64b664bf99f2&trk=group_most_popular-0-b-ttl&goback=.gmp_2462364

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall (Room 1124) 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

Wednesday, April 25, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after

Join us for our February meeting where in alignment with our previous announcement, we will have two great talks. Please note that food and drink after the meeting will also be sponsored by DBNetworks and OWASP.

Talk 1: How is static analysis is like hunting foxes in the forest?

A brief guide to tools assisted secure code review. Includes a discussion of challenges and recommendations to make your work in static analysis and secure code review more effective.

Presenter Bio: Sean Matthiesen is a Senior Consultant at Cigital, Inc. His expertise is in software development, secure code review, and static code analysis. Sean has provided consulting services to several large commercial clients and has been involved in the development of many mission critical software applications. Over the last 22 years, he has worked as a developer in multiple programming languages, including C++ and Java.

Prior to joining Cigital, Inc., Sean built and managed the static analysis team at a fortune 500 company where he was responsible for all aspects of secure software development including security awareness training, static analysis tool support, secure code review, security architecture review, and software security audits. He has trained over 500 developers on the use of Secure Application Development using IBM Rational AppScan Source, 250 developers on secure software development, and contributed to multiple online CBTs courses. Sean has over 5 years of hands on experience using the Ounce/AppScan Source product. He holds a B.S. in Computer Science from Principia College.

Talk 2: SQL Injection

New reports of SQL injection attacks, on corporate databases, are appearing almost weekly. Applications free from vulnerabilities are always the best defense, but a better backstop is clearly needed since existing solutions are unable to defend against this threat. DBNetworks will present its vision for a future technology which will protect against new and unique SQL injection attacks in real-time.

Presenter Bio: Prior to coming on board at DBNetworks as the Director of Systems Engineering, Stuart Hancock was the Enterprise Cloud Program Manager at Cisco Systems; prior to that, he held positions at Cisco as a consulting engineer and HPC architect, and has worked in the past for a number of startups, as well as EMC, IPivot (acquired by Intel for $500M), Intel, and Wang Laboratories.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Thursday. February 23, 2012 - 5:00pm - South Florida OWASP Meeting - Two great talks and networking after'''

Join us for our February meeting where in alignment with our previous announcement, we will have two great talks. Please note that food and drink after the meeting will also be sponsored by WhiteHat.

Talk 1: Future of Cross Site Scripting defenses

This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.

Presenter Bio: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.

[[Media:OWASP_April_2012.pdf]]

Talk 2:Holiday Downtime, It wasn't just you!

During the holiday season, two researchers in Germany introduced the world to a severe denials of service attack during the 28th Chaos Computer Congress in Berlin on December 28, 2011. This vulnerability affects most web application platforms including ASP.NET, Java, and PHP to name a few. In this presentation, Chris will discuss and demo a working proof of concept of this DoS attack.

Presenter Bio: Christopher Zavala is a native of South Florida and is currently a Web App Pen Tester for Citigroup. A graduate of FIU and as an employee from small business’ to Large corporations; he is very diverse in both his technical and business mindset.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Tuesday. November 29, 2011 - 6:00pm - South Florida OWASP Meeting - Introduction to Mobile Challenges and Procedures'''

Join us for our November meeting where Brent Williams and Michael Patterson will present on Introduction to Mobile Challenges and Procedures: Reversing Android, iOS, Blackberry.

Presenter Bio:

Brent Williams is currently CTO at Equifax/Anakam Identity. In the past he has worked in business development for Homeland Security at SRA International. He obtained his degree from John Hopkins University.

Michael Patterson is the Founder of InAuth, Inc, a company that offers next generation solutions for mobile device security. He is the author of 18 provisional patents related to mobile authentication and fraud detection. He founded SMobile, Inc. which sold to Juniper in 2010.

[[Media:OWASP_mobile_Nov_2011.pdf]]

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Wed. September 28, 2011 - 6:00pm - South Florida OWASP Meeting - Secure Application Development'''

Join us for our September meeting where Rohini Sulatycki will present on Secure Application Development. The talk will cover the following topics.

*  Current Landscape *  Why do security vulnerabilities  occur? *  Design *  Design Patterns *  Threat Modeling *  Development *  OWASP Top 10 *  Testing *  Penetration Testing *  Configuration *  Maintenance

Presenter Bio: Rohini Sulatycki is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 15 years. Rohini specializes in application security testing, code reviews and secure software development conducting a large number of application tests in her capacity at Trustwave. She has strong foundations in software engineering, design and architecture and implementing enterprise applications. Rohini has a background implementing and reviewing all types of applications, from traditional client/server applications to web applications and web services. Rohini has served as the president of the Kansas City OWASP chapter and a member of the High Technology Crime Investigation Association (HTCIA). She has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. She has also presented at various industry events including Black Hat and OWASP FROC on topics such as Web application security, Ajax security concerns and Flash application security. 

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682)

'Wed. Aug 31, 2011 - 6:00pm - South Florida OWASP Meeting - Blackhat/ Defcon Recap - All you wanted to know and everything you missed'

Join us for our August meeting where we will be discussing the latest news, tools and other hacking techniques displayed at Blackhat/ Defcon conferences this year.

If you were unable to make the cons this year, this is a good way to catch up on the most important talks. If you had trouble getting in to a talk or were still nursing that hangover and missed your favorite presentation, this will catch you up. This will also be a good time to reminisce about the Defcon Open CTF and the cons in general.

Presenter Bio:

Claudio Lacayo is a local security researcher currently involved in the financial industry.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1048-1049 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'Wed. July 27, 2011 - 6:00pm - South Florida OWASP Meeting - Double Feature - SQLMap 0.9 Overview and Analysis + Automated Scanning and Differential Reporting'

Join us for our July meeting where we will be discussing the latest release of one of the most formidable web application attack tools currently available: SQLMap0.9

The meeting will discuss some basic methods of SQL injection vulnerability identification (both error based and blind), and will go over ways to use the SQLMap0.9 tool to test your web application. Futhermore, we will discuss some of the more advanced features of SQLMap that were unavailable in previous releases.

Presenter Bio: Alexander Heid - is a local security researcher and board member of Hackmiami and co-chair of South Florida OWASP. Heid is also employed within the financial industry as a web application vulnerability analyst.

Automated Scanning and Differential Reporting

Companies are struggling with scaling source code scanning, there are not enough security experts to fulfill the current demand. Developers are being overwhelmed with the quantity and quality of issues reported from misconfigured scanning tools. This session will present an automated source code scanning deployment methodology that allows organizations to automatically reduce false positives during scanning and deliver reports that represent the high confidence security risk of the latest software changes.

What will your audience walk away with? 1) Establishment of security policies is key to reducing false positives 2) Automated scanning is easy to configure and requires limited maintenance 3) Differential reporting reduces developer overload by highlighting the risk of recent change

Presenter Bio:

Bruce Mayhew is a Security Solutions Architect at IBM. Bruce has over 20 years of software development experience with the last 13 years focused on application security. At IBM, he is frequently a project lead for application security assessments. Bruce has created an application security practice and training curriculum for large financial institutions and has been a Web Application Security Course instructor for the SANS Institute. Bruce is on the SANS Council for Secure Java Programming and is an author of the SANS GSSP Secure Programming Assessment. He is the primary author of WebGoat and was instrumental in bringing WebGoat to OWASP and currently leads the OWASP WebGoat project. A frequent speaker on application security topics, Bruce has presented at OWASP, NASA, ISSA, NSA, Innovate and many commercial and financial institutions.

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an OWASP Meeting? It's true! Join us to feed your certs.

'''Thurs. March 17, 2011 - 3:30pm - South Florida OWASP Meeting + ISSA Meeting'''

South Florida OWASP is teaming up with South Florida ISSA to bring you a very special St. Patricks Day meeting. There will be an after-party sponsored by Barracuda in Boca. We will have two great talks: Edward Bonver from Symantec will speak on Threat Modeling followed by Grant Murphy from Barracuda presenting their latest research: The State of Web Application Security. This meeting will be held from 3:30pm - 5:30pm at NCCI Holdings, Inc in Boca Raton and the party, sponsored by Barracuda, will be at the Dubliner. NCCI Holdings 901 Peninsula Corporate Cir Boca Raton, FL 33487-1362 Dubliner 435 Plaza Real Boca Raton, FL Talk: Threat Modeling Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we'll take a look at why Threat Modeling is so important; we'll explore the process behind it, and how the process is being implemented and followed across Symantec. Bio: Edward Bonver - Software Engineer, Symantec Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company's software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company's QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks. Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master's degree in computer science from California State University, Northridge, and a bachelor's degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University. Talk: The State of Web Application Security It's no secret that more and more commerce is being conducted via Web applications. Web-based applications are convenient for consumers and allow vendors to get applications online quickly to reach those consumers. This trend has also created a variety of privacy and security concerns that affect all companies transacting business over the Web. Recently, Barracuda networks co-sponsored a research study conducted by the Ponemon Institute titled "The State of Web Application Security" that revealed that these concerns are keenly felt by web application administrators. However, a major disconnect exists as appropriate countermeasures to these threats are either ineffective or completely non-existent. Join us for an informative seminar to learn:

More about our revealing research,

Why Web applications are under attack,

What hackers are doing to compromise Web applications

How to mitigate this risk.

Bio: Grant Murphy, Vice President of Enterprise Solutions, Barracuda Networks Grant Murphy is Vice President of Enterprise Solutions managing worldwide sales for the Barracuda Web Application Firewall and the Web Filtering products at Barracuda Networks. Murphy brings significant experience in the Web proxy/cache market and how these technologies can be used to secure employee's Internet Access as well as the sites they are accessing. He has been a frequent speaker at many security industry events worldwide over the past four years. Prior to joining Barracuda, he was responsible for sales of McAfee's Web and Email filtering products. Murphy earned his CISSP accreditation in March of 2006. Pre-Registration Seating is limited so you must pre-register for the event. You can pre-register for the event here. FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an ISSA Meeting? If you are a CISSP and you provide your CISSP number at registration, we will submit your CPE credits automatically for you.

'''Wed. February 23, 2011 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Building a Web Application Attack Framework Miguel Turner will be discussing the challenges involved in building a tool to support vulnerability analysts with the automated detection and exploitation of Web application vulnerabilities. Bio: Bio: Miguel Turner currently works for Immunity as a developer, and has worked internationally on a number of endeavors. His current focus and research is on automatic exploitation of Web applications.

'''Wed. December 1, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3032/3034 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Attacking web applications via XSS with BEeF and Metasploit Join us as Rod Soto presents a method of gaining administrative access to a domain controller through the exploitation of a DOM XSS vulnerability in a web application. The talk serves to demonstrate the risks that are posed through client side exploitation. Bio: Rod Soto is a vulnerability analyst and local security researcher. He is also a consultant to businesses around the globe regarding enterprise security matters. '''Wed. October 6, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm Abstract: Improving application security with ESAPI Swingset The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organisations about the consequences of the most important web application security weaknesses. ESAPI is Enterprise security API's for remediation of OWASP Top 10 vulnerabilities. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI libraries. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI libraries and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. Bio: Fabio is currently working as an Information Security Specialist at AIB Bank (Dublin, Ireland). His tasks include performing risk analysis, assessing the security of web applications developed internally or purchased from third parties, define policies and standards on secure coding, as well as providing training on web application security to developers, auditors, executives and security professionals. Prior to joining AIB, he worked as a Security Engineer at Symantec Security Response European Headquarters analyzing malicious code, blended threats, security risks and vulnerabilities in various applications. Before moving to Ireland, he worked in the development of different training programs and activities with emphasis on secure software development in his native Argentina. <br As a member of the OWASP organization, Fabio is part of Global Education Committee whose mission is to provide training and educational services to businesses, governments and educational institutions on application security, he coordinates international conferences around this topic, and since early 2010 has been appointed chairman of OWASP Chapter in Ireland. Fabio is a graduate in Computer Engineering from the Universidad Católica Argentina and has been granted the CISSP by (ISC) 2 back in 2006.

'''Wed. August 25, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is entitled "PCI Fundamentals" The talk will discuss the PCI compliance process, requirements, and implementations for everything from networks to web applications. The talk will be presented by Ivan Moskowitz.

Presenter Bios:

Ivan Moskowitz is a local security researcher and compliance auditor at a Fortune 100 firm.

'''Wed. July 28, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is entitled "Citrix Vulnerabilities." The talk will discuss the architecture of a Citrix server, as well as the vulnerabilities that exist within various configuration settings. The talk will be presented by Adam Cazzolla and Dickson Kwong.

Presenter Bios:

Adam Cazzolla and Dickson Kwong are local security researchers and web application vulnerability analysts at a Fortune 20 firm.

'''Wed. June 23, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Defensive Web Application Development" and "Modern Digital Crime Tools and Techniques"

This next OWASP meeting will feature two talks that are scheduled to be presented at the upcoming 2600 Hackers On Planet Earth conference (http://www.hope.net) in New York City. We will be featuring a sneak-peek preview of these talks on June 23, 2010 at the Nova campus.

"Defensive Web Application Development" by Pete Greko and Fabian Rothschild

This talk will examine various methods of code obfuscation for web application development. The goal is to make the tracking of covertly logged data too difficult for the average attacker to bother with.

"Modern Digital Crime Tools and Techniques" by Alexander Heid

This talk will examine the latest developments of tools and trends within the world of digital crimes. The talk will go over updates, developments, and plugins of new Zeus trojan variants, and will also examine new versions of various exploit kits used to distruibute malicious payloads. An overview of the digital crime lifecycle will be discussed as well.

Presenter Bios:

Pete Greko - is a local security researcher and board member of HackMiami. Greko is employed within the financial industry as a web application vulnerability analyst.

Alexander Heid - is a local security researcher and board member of Hackmiami and co-chair of South Florida OWASP. Heid is also employed within the financial industry as a web application vulnerability analyst.

Fabian Rothschild - is a local security researcher and member of HackMiami. Rothschild is employed as an security consultant for various clients around South Florida.

'''Wed. May 26, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3032/3034 located on the 3rd floor, Eastside of the Carl DeSantis Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "PCI Compliance Fundamentals" by Georgios Mortakis of Enterprise Risk Management, Inc.

The presentation will go over application development to ensure PCI compliance, specifically developing applications to defeat the use of magnetic stripe skimmers. There will be live demonstrations taking place with a magnetic stripe skimmer showing ways to defeat the interception of important data.

Presenter Bio:

Georgios Mortakis (CISSP, CISA, QSA) is a Director of Information Systems Security with Enterprise Risk Management, Inc. Enterprise Risk Management, Inc, found in Miami FL in 1998, offers a wide variety of information security and information systems audit services to local, national (Fortune 500) and international businesses. [[Media:South_Florida_OWASP_May_2010_Card_Skimming_Demo.pdf]]

'''Wed. April 28th, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Room 3049/3051 located on the 3rd floor, Eastside of the Carl DeSantis Building 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Cisco ACE Web Application Firewall Use Cases" by Rob Kinnion and Vikas Deolaliker.

The presentation will give a overview of the WAF market and the real world deployments and customer concerns which will help OWASP evolve the WAF as a product category. This event will also be available during a live WebEx feed. Details are below.

Presenter Bios:

Rob Kinnon has been a Systems Engineer for 10-years at Cisco. He has held the coveted CCIE many years before most people even heard of it. He is one of the most highly respected and formidable Cisco Security engineers within the region. Rob specializes in Cisco Security Architecture in NAC, Intrusion Prevention, Security Monitoring, and Log Correlation just to name a few. Rob has helped countless organizations protect and secure their networks.

Vikas Deolaliker is a Product Manager in DCASBU at Cisco for Cisco WAF. He has helped define and product manage a broad spectrum of products for the datacenter including: SOA Appliances, SAN Director Class Switches, Grid Computing Middleware, Java Enterprise Software. WebEx Live Session Information:

Meeting Number: 201 076 756

Meeting Password: Cisco

To start this meeting

1. Go to https://cisco.webex.com/cisco/j.php?S=201076756

2. Log in to your account.

3. Click "Start Now".

4. Follow the instructions that appear on your screen.

ALERT:Toll-Free Dial Restrictions for (408) and (919) Area Codes

The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.

Please dial the local access number for your area from the list below:

- San Jose/Milpitas (408) area:  525-6800 - RTP (919) area:  392-3330

To join the teleconference only

1. Dial into Cisco WebEx (view all Global Access Numbers at

http://cisco.com/en/US/about/doing_business/conferencing/index.html

2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.

San Jose, CA: +1.408.525.6800 RTP: +1.919.392.3330

US/Canada: +1.866.432.9903 United Kingdom: +44.20.8824.0117

India: +91.80.4350.1111 Germany: +49.619.6773.9002

Japan: +81.3.5763.9394 China: +86.10.8515.5666

http://www.webex.com

IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, do not join the session.

'''Wed. March 31st, 2010 - 6pm - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall - Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) 6pm This meeting's presentation is "Adon't be an Adobe victim: An overview of how recent Adobe-related flaws affect your web application" by Josh Stabiner.

The talk will examine the threats posed by PDF and Flash vulnerabilities to web applications and their users, and will examine ways to mitigate the potential threats to your organization.

Presenter Bio:

Josh Stabiner is a manager in Ernst &amp; Young's Advanced Security Center specializing in attack and penetration advisory services. He manages and executes assessments of web applications, external, internal and wireless networks, as well as physical security and social engineering. [[Media:South_Florida_OWASP_Adobe_ASC_Demo.pdf]] '''Wed. Jan 27th, 2010 - 6pm- South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus Knight Lecture Hall, Room 1124 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is "Zeus &amp; You: Analysis of the underground's most popular trojan" by Alexander Heid and Fabian Rothschild. [[Media:OWASP_miami_Zeus_and_You_01-2010.pdf]] '''Wed. Oct. 7th, 2009 6PM - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus 2nd Floor - Room 2071 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is by Gary Bahadur and will be based on the presentation he is giving at Hacker Halted on the topic of Supplier Risk Management with more of a web focus.

'''Thu. Aug 20th, 2009 3:30PM - South Florida OWASP Meeting'''

Facility Location: NOVA SOUTHEASTERN UNIVERSITY Carl DeSantis Building, Main Davie Campus 1st Floor - Room 1048/1049 3301 College Ave Fort Lauderdale, FL 33314-7796 Phone: 800-541-NOVA (6682) This meeting's presentation is "Security in .NET Applications &amp; Integrating Security in the Software Development Lifecycle" by Jon Arce. This is a joint meeting that has been arranged graciously by the local ISSA chapter (www.sfissa.org). [[Media:OWASP_miami_Integrating_Security_in_App_Dev_v1_1-2009_08.pptx]] [[Media:OWASP_miami_App_Security_Using_dotNET_Framework_v1_0-2009_08.pptx]]

'''Tue. June 30th, 2009 6:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is "Risk Rating Models for Vulnerabilities" by Rishikesh Pande. [[Media:OWASP_miami_Risk_Modeling_v2-2009_06.pdf]]

'''Fri. April 3rd, 2009 6:00PM - South Florida OWASP Meeting'''

Facility Location: Immunity, Inc. 1247 Alton Road Miami Beach, FL 33139 Phone: (212) 534-0857 This meeting's presentation is "Memory Corruption and Buffer Overflows" by Dave Aitel. Dave presented on this topic during the OWASP NYC AppSec 2008 Conference. The presentation will also include some web application content based on Immunity's recent project experiences. [[Media:OWASP_miami_Corruption-2009_04.pdf]]

'''Wed. February 4th, 2009 5:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is "An Architect's view of Application Security" by Rick Carlin. [[Media:OWASP_miami_Architect%E2%80%99s_View_of_Application_Security-2009_02.ppt]]

'''Wed. December 3rd, 2008 5:00PM - South Florida OWASP Meeting'''

Facility Location: Mission Critical Systems, Inc. 1347 East Sample Road, Suite 3 Pompano Beach, Fl 33064 Phone: (954) 788-7110 This meeting's presentation is a live web hacking demo by Dan Carcone.