Chicago Suburbs

Next Meeting
Please register in advance so building security can let you in with your ID: https://owaspchicagosuburbs.eventbrite.com

Previous Meetings
August 2014 Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Wednesday, August 27th @ 6pm CST

Where: Discover - 2500 Lake Cook Road, Riverwoods, IL 60015

Note: All visitors must enter Discover from the Lake Cook Road entrance and have a valid government issued ID.

Cost: Absolutely Nothing!

Agenda:

6:00p: Food and soft drinks

6:30pm - 9pm: Presentations

Abstracts & Bios:

Chris Pfoutz - Using Third Party Penetration Testers

Many organizations don’t strategize about how to do application pen testing. They often use an existing vendor to expend into the application, do it as needed and in an ad hoc manner. Having implemented application pen testing programs within two organizations, I’ll provide you with my lessons learned to help you quickly formalize and elevate your third party application pen testing efforts.

Jeff Groman - The role of automated and manual testing in the SDLC.

Parker Schmitt - Steganography

June 2014 Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Wednesday, June 25th @ 6pm CST

Where: HP - Esplanade Office Tower, 2001 Butterfield Road, Downers Grove, IL 60651

Cost: Absolutely Nothing!

Agenda:

6:00p: Food and soft drinks

6:30pm - 9pm: Presentations

Abstracts & Bios:

New Automation Domination: Threadfix - Jenkins Plugin by Brandon Spruth

Application Security Program Maturity: BSIMM by Bruce Jenkins

April 2014 Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Wednesday, April 16th @ 6pm CST

Where: HP - Esplanade Office Tower, 2001 Butterfield Road, Downers Grove, IL 60651

Cost: Absolutely Nothing!

Agenda:

6:00p: Food and soft drinks

6:30pm - 9pm: Presentations Abstracts & Bios:

Presentation 1: OWASP Mobile Top Ten 2014 - The New "Lack of Binary Protection" Category by Matt Clemens

Recently, there has been a new addition to the OWASP Mobile Top Ten. At AppSec California, OWASP debuted the 2014 list and briefly highlighted examples of threats in the new M10 category – Lack of Binary Protections. In Matt's talk, Matt will discuss the new category in much more depth. He educates the audience about the prevalence of binary risks in both iPhone and Android mobile apps and highlights the mobile app risks that relate to this new category and how to leverage particular OWASP Projects for the solution. By the end of this talk, you will have a solid understanding of binary risk and how to begin thinking about solutions to this category.

Matt's presentation is available here: here.

Presentation 2: Application DDoS Prevention by Kevin Nassery

Kevin's presentation is available here: here.

February 2014 Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Wednesday, February 19th @ 6pm CST

Where: US Foods, Glenview Farms Conference room, 11th floor, 6133 N. River Rd., Rosemont, IL

Cost: Absolutely Nothing!

Agenda:

6:00p: Food and soft drinks

6:30pm - 9pm: Presentations Abstracts & Bios:

Presentation 1: Healthcare Data Analytics by Daniel Fabbri

Recent U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate use of personal health information (PHI). Unfortunately, current technologies do not meet the security requirements of these regulations. In particular, while electronic medical records (EMR) systems maintain detailed audit logs that record each access to PHI, the logs contain too many accesses for compliance officers to practically monitor, putting PHI at risk. In this talk I will present the explanation-based auditing system, which aims to filter appropriate accesses from the audit log so compliance officers can focus their efforts on suspicious behavior. The underlying premise of the system is that most appropriate accesses to medical records occur for valid clinical or operational reasons in the process of treating a patient, while inappropriate accesses do not. I will discuss how explanations for accesses (1) capture these clinical and operational reasons, (2) can be mined directly from the EMR database, (3) can be enhanced by filling-in frequently missing types of data, and (4) can drastically reduce the auditing burden.

Presentation 2: A Novel Approach to Solving SQL Injection by Karen Heart

Injection attacks, particularly SQL Injection, remains the top risk in software, despite extensive research on methods to prevent these attacks. All of the reported techniques for preventing or mitigating injection attacks work well to some extent, however, no approach so far has succeeded in preventing all of them precisely. A novel approach is proposed that would prevent injection attacks in all cases, including secondary injection, without raising any false positives. The technique is based on a simple algorithm, rather than on a particular technology. As such, the proposed solution would apply to all programming languages and databases, including NoSQL databases.

Karen has many years of programming experience, developing a variety of software using Java, C++, PHP, and other tools. She is primarily interested in computer security and privacy, and she focuses currently on approaches to increasing the safety of software through improved programming practices and tools. She holds an MS in Computer Science from DePaul University, a JD from the University of Texas, and she is presently a 2nd year PhD student in Computer Science at UIC.

December 2013 Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Wednesday, December 4th @ 6pm CST

Where: Crowe Horwath, One Mid America Plaza, Suite 700, Oak Brook Terrace, IL

Cost: Absolutely Nothing!

Agenda:

6:00p: Food and soft drinks

6:30pm - 9pm: Presentations Abstracts & Bios:

Presentation 1: Building an AppSec Program by Chris Pfoutz

Pen testing being the sexy part of Infosec, the first thing most companies want to do when starting an application security program is to scan everything. Unfortunately, learning from experience, this rarely leads to good results. Using my experience in building an application security program and the best practices used by other companies, I’ll show you how to start an effective application security program in your organization. This will include laying the groundwork to ensure proper coverage, using your resources effectively and ensuring proper follow through on remediation activities. Chris Pfoutz has 10 years of experience in a broad breadth of information security fields, including access controls, risk assessments and spending the last three years focused in his passion, software security. He’s been employed or consulted for some of the largest financial services companies in the world and is currently working internally on the Global Application Security team for Deloitte, Touche, Tomatsu Ltd. Chris is certified as a CISSP and GIAC Certified Web Application Pen Tester by the SANS Institute.

Chris's presentation is available here: here.

Presentation 2: It Takes a Village to Secure our Network by Ben Ten

Abstract: With the myriad of tools that are available for purchase, our networks still seem to be desperately unprotected. In this talk I will show you how a community driven Windows based framework that uses Powershell will provide the potential for increased security, easier system maintenance, and will expand our ability to react to threats quickly. The best part is that its completely open sourced. Our security posture will be strengthened when its community driven.

October 2013 Inaugural Meeting:

What: An unbiased, practical, cost-effective gathering to discuss application security.

When:  Thursday, October 10 @ 6pm CDT

Where: Zurich Insurance, South Tower, 1400 American Lane, Schaumburg, IL

Repsheet: A Behavior Based Approach to Web Application Security

Traditional static approaches to web application security are failing us. The interaction before, during, and after authentication is largely ignored. We don't ask the right questions of actors attempting to access our web applications. How sure are you that the act or accessing your site is who they say they are? How sure are you that you want them accessing your site at all? Join Aaron as he walks you through asking the questions you should be asking of your users, and how to help prevent abuse, fraud,and otherwise unwanted activity on your web applications. You will learn how to ask the right questions without disrupting user experience.

Aaron Bedra is the Application Security Lead at Braintree Payments. He is the co-author of Programming Clojure, 2nd Edition as well as a frequent contributor to the Clojure language. Aaron is the creator of Repsheet, a reputation based intelligence and security tool for web applications.