Washington DC

Welcome
Welcome to the Home Page of the Washington DC OWASP Chapter.

Our next meeting is September 29th at 2445 M Street NW Washington, DC 20037 at 6:30 PM (food) / 7 PM (talks) Please Register for the meeting if you plan on attending


 * The chapter Co-Chairs are [mailto:mark.bristow__AT___owasp.org Mark Bristow], and [mailto:dougwilson.lists__AT__gmail.com Doug Wilson]. Please contact us with any questions about the chapter.
 * Please subscribe to the mailing list for meeting announcements.
 * You can follow us on Twitter as @OWASPDC
 * Our recent meetings are documented on the News & Meetings tab.
 * You can also check out the archives of this page here Washington_DC Archives.

Meetings & Events
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.

Our next meeting is September 29th 6:30pm at 2445 M Street NW Washington, DC 20037
 * Please Register for the meeting. This helps us get a head count for food and beverages
 * John Steven will speak on Assessing your Assessment Practice
 * Krystal Moon and Quang Pham will speak on DHS Software Assurance Pocket Guides
 * Doug Wilson and Mark Bristow will update on current and upcoming events.

Location Info Different from last month. Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room

About our Speakers


 * John Steven


 * John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.


 * Abstract


 * Assessing your Assessment Practice - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?


 * In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.


 * Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.


 * Krystal Moon


 * Quang Pham


 * Abstract


 * Software Assurance Pocket Guides - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.


 * Secure Coding
 * Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.


 * Architecture and Design Considerations for Secure Software
 * The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.

Participation
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].

News & Meetings
Archives from earlier meetings than contained on this page can be found in the Washington_DC Archives

August 2011 Meeting

Our next meeting is August 24th at 1445 New York Ave NW (Living Social) in Washington DC. Refreshments will be served starting at 6:30 PM, with the presentation starting around 7. This location is very close to both the McPherson Square and Metro Center WMATA train stations.
 * Please REGISTER HERE if you are going to attend so we have an accurate head count.
 * Julian Cohen will speak on Cross-Origin Resource Inclusion in HTML5
 * Doug Wilson & Mark Bristow will update on current and upcoming events.

About our Speaker


 * Julian Cohen


 * Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques.  He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.


 * Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.


 * Abstract


 * Cross-Origin Resource Inclusion in HTML5 - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable.  Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited.  An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.

July 2011 Meeting

Our next meeting is July 21st 6:00pm 2445 M Street NW Washington, DC 20037 (*NOTE NEW LOCATION*)
 * Please Register Here
 * Jack Mannino will speak on Building Secure Android Applications
 * Doug Wilson & Mark Bristow will update on current and upcoming events.

NEW LOCATION Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room

About our Speakers


 * Jack Mannino


 * Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.


 * Abstract


 * Building Secure Android Applications - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.


 * This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.


 * Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.


 * At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.

March 2010 Meeting


 * Our next meeting will be March 24th at 6:30 PM, at 801 22nd Street NW, Room B149 on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
 * Jeff Ennis from Veracode will be presenting on Application Risk Management
 * Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
 * Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
 * Doug Wilson will update on plans for future meetings and upcoming events.

About our Speakers

Jeff Ennis


 * Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology.  He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as  they dealt with an ever-changing threat landscape..   Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.


 * Abstract


 * Application Risk Management - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software.  Ensuring that these entities are creating secure software is becoming a daunting task.  Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application.  During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.

Dan Philpott


 * Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.

Chuck Willis


 * Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.

December 2009 Meeting


 * Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 * We will be recapping and discussing AppSecDC and the OWASP Summit
 * We will discuss other recent events such as the DHS Software Assurance Forum Conference
 * We will be talking about the coming year and upcoming events
 * We will open up the floor for discussion of current events or concerns.

Addition to Agenda

Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.

September 2009 Meeting


 * The meeting was held at September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 * Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
 * Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.

XAB -- The Abstract:

Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.

XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.

During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.

About our speakers:

Matthew Flick, Principal FYRM Associates

Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.

Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.

Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.

Jeff Yestrumskas Sr. Manager InfoSec @ Cvent

Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.

August 2009 Meeting


 * The meeting was held at August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 * Dan Cornell of the Denim Group spoke on Vulnerability Management in an Application Security World
 * Mike Smith of Deloitte spoke on SCAP and how it can relate to web application security.
 * Doug Wilson gave an update on AppSecDC 2009

About our speakers:


 * Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.


 * Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.


 * Vulnerability Management in an Application Security World


 * This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.


 * Michael Smith is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.


 * SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.

April Meeting Debrief

We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.

Our big announcement of the meeting was that we are kicking off the Call for Papers for AppSec DC 2009, slated for November 10-13 at the DC Convention Center.

We'd also like to thank:
 * George Washington University and their great staff for the meeting space and A/V support
 * Securicon and Mark Bristow for arranging refreshements.

We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our mailing list!

'''April 22nd 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at 2201 G St. NW Washington, DC 20037

This month, we will have Jon Rose speaking about Flash Remoting and Deblaze.

"Deblaze - A remote method enumeration tool for flex servers."

"Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points."

"This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications."

"The latest version can be found at deblaze-tool.appspot.com"

Doug Wilson will also discuss the recent OWASP Software Assurance Day that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.

We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.

You can RSVP for the event on Upcoming.org

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

February 5th 6:30 PM OWASP Meeting, Washington DC

This month we will be holding our meeting at The George Washington University in downtown DC.

The meeting is in Duques Hall, Room 553, which is located at 2201 G St. NW Washington, DC 20037

This month's agenda:


 * 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
 * 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
 * 7:45 - 8:00 Break
 * 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra

You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008

Note on Transportation and Parking

Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center

The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.

December Meeting Debrief

I'd like to take this opportunity to once again thank Kevin for coming out to talk to us at the meeting Wednesday. I thought his presentation on Samurai, Yokoso!, Laudanum, and Social butterfly demonstrated some of the great up and coming tools that are available to the community. As promised, I uploaded the PDF of the presentation to the Wiki, but the slides don't do the commentary justice. It can be found.

We also took care of some housekeeping stuff:
 * We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
 * The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
 * Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
 * Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].

To those who attended the meeting on Wednesday, thanks for coming out, we had a great turnout and I hope to have even more attendees next time. For those who were unable to attend, I hope to see you all at our next meeting.

December 10th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:


 * Presentation by Kevin Johnson, InGuardians
 * Round table Discussion of Portugal Summit
 * Open discussion

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.

Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.

You can RSVP to the event on Upcoming.org: http://upcoming.yahoo.com/event/1334575

October 15th 6:30pm OWASP Meeting, Washington DC

This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).

The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.

This month's agenda is as follows:


 * Adam Vincent, Hacking and Hardening Web Services
 * Doug Wilson, Report on AppSec NYC 2008
 * Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.

History
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.

In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.

In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.

The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.

Washington DC September Meeting: Facility Sponsor: Anonymous       Refreshment Sponsor: Blue Canopy