Seattle

Next Event 23 Jan (Wednesday)
Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535 Date: 1/23/2007

Time: 6:30PM

Speakers:

Waqas Nazir, V-Empower

Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.

Presentation Title: Emerging threats in Web 2.0

Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).

Chris Clark, iSEC Partners

Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.

Presentation Title: Ruby on Rails Security

Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.

Last Event 06 Sep (Thurs)
09/06/2007 @ 6PM PST - Seattle chapter meeting

Details: Location: Bellevue Las Margaritas 437 108th Ave NE Bellevue, WA 98004 (425) 453-0535

Time: 6 o'clock

Speakers:
 * Rob Rachwald - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain.  Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.
 * Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly?  How are developers trained to write code securely?  How are software security tools, such as dynamic and static analysis, deployed for optimal use?
 * Damon Cortesi - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus.  Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.
 * Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore.  Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.

 Update:  - Rob's slides can be downloaded from here.  Update #2:  - Damon's slides can be found here.

Past Events
2/28/2007 @ 6PM PST - Seattle chapter meeting

Details:

Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)

Time: 6 o’clock.

Speakers:
 * Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:
 * Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.


 * Brad Hill (Senior Security Consultant with iSEC Partners), will be speaking on:
 * XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Past Meetings
1/8/2007 @ 6 o'clock - Seattle chapter meeting.

Details: Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/) Time: 6 o’clock.

Speakers:

Ward Spagenberg of IOActive on the topic "Unraveling PCI".

Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order. We look forward to seeing you all there!