Cincinnati

Welcome to the Cincinnati U.S.A. OWASP Local Chapter. The chapter lead is Marco Morana. The OWASP chapter meetings are free and open to anyone interested in application security. Chapter meetings are usually held monthly, please consult the calendar for the date of the upcoming meeting. If you have never attended a meeting before and you are interested to attend one in the future please join first the mailing list. The mailing list is also used for sharing application security knowledge among the local community members. You can also review the email archives to see what local folks have been talking about.

OWASP is a non profit organization and as such operates thanks to the volunteering effort of his members as well as on OWASP Membership fees and sponsorship for financial support of the organization's projects and activities. Organization memberships & direct donations to OWASP are fully tax deductible. If you are interested to participate to OWASP meetings as well as OWASP projects and/or activities, we encourage your financial support to the chapter as well as to the OWASP organization.

If you are interested to present at one of the chapter meetings please send an abstract and bio to the chapter chair. Prior to participating to OWASP please review the Chapter Rules.

Upcoming January Meeting

 * When: Wednesday, January 27th, 12.00 - 13.30 PM 
 * If you plan to attend the meeting please RSVP by registering on http://owasp-cincy.eventbrite.com/


 * Russell McMahon, associate professor of IT at the College of Applied Science, University of Cincinnati.


 * What: Microsoft Security Development Lifecycle Tools
 * This talk will focus on the tools that Microsoft has developed for aiding in creating more secure applications. Microsoft developed the SDL system back in 2004 and it has begun to mature, but it still has a way to go. They have incorporated their Threat Analysis Modeling (TAM) tool into their SDL system and now call it SDL-Line of Business (LOB) tool. This talk will also look at some of the other systems that exist for developing secure applications


 * Presenter Bio: Professor McMahon has been teaching IT related subject matter for nearly 30 years. He has been teaching full-time at UC for 10 years and helped create the Information Technology Bachelor of Science degree which started in 2004 and received ABET accreditation in 2006 (one of only ten such programs in the US). He teaches computer programming, database administration, and IT security. He is very active in the IT user group community and helped create TechLife Cincinnati which is for those who have an interest in what is going on in the local IT scene. He has been researching the history of computing at UC and put together a conference marking UC’s first 50 years of computing which started with an IBM-650 in 1958. Prior to coming to UC he has been a teacher at Hughes, Lockland and Colerain high schools, and worked at Cincom and the former Cincinnati Gas & Electric as an IT trainer and in a technical support role. He is married and has 3 grown children. Prof McMahon is a race walker and enjoys competing in local races.


 * Location / Venue Sponsor: Citibank 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537
 * For help with directions contact Citi Blue Ash help desk at (513) 979-9000 or check directions herein.
 * Please access the building from the visitor lobby. OWASP meetings are held at the "Buckeyes" lecture room.


 * Agenda
 * 12:00-1:00 Presentation


 *  Proof of ID is required to attend the meeting
 * Citi guards verify that you pre-registered to the meeting by checking the RSVP list. Once you are checked and identified (please bring a proof of ID) you will be granted visitor access to the training facilities.


 *  Presentation logistics
 * The Citi sponsored lecture room can host up to 53 people and is equipped with video and audio system to be used with the presenter's laptop.

2010 Meetings Calendar
This is a provisory calendar and the incoming meeting is confirmed on month to month basis. In absence of a speaker for a monthly meeting we will opt for an OWASP Video Presentsation & Moderated Forum Discussion or a backup ready talk/presentation from one of our local members. If you would like to present a topic, or if you wish to held the meeting at your company premises please send an email to the [mailto:marco.m.morana@gmail.com chapter leader]
 * January 27,"The Microsoft SDL" Mr. Russell McMahon Associate professor of IT at the College of Applied Science University of Cincinnati
 * February 23,"Application Testing Talk/TBD" Mr. Mark Maxey Principal Consultant Accuvant
 * March 24,"Thick Client Application (In)Security" Mr. Neelay Shah , Senior Software Security Consultant Foundstone Inc a division of McAfee
 * April 27,"Measuring Your Proactive Security Efforts"Mr. Cassio Goldschmidt, Senior Manager, Product Security Symantec Corporation
 * May 5,"Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data" Mr. Jill Naymie, Veracode
 * June 29,"Security of plugins compared to the main applications/TBD"  Dr. James Walden ,Assistant Professor Department of Computer Science Northern Kentucky University
 * July 21,"Botnet Attacks and Web Application Defenses/TBD"Mr. Gunter Ollmann , VP Research. Damballa
 * August 25,"Hackers, Crackers, Phishers, Botnets, Malware and Web 2.0, Oh My!/TBD" Mr. Patrick Gray , Principal Security Strategist Cisco Systems
 * September 29,"Software Security Analysis Talk/TBD" Mr. Jacob West, Software Security Research Group Manager Fortify
 * October 30:"OWASP get together at IMI Conference/OWASP Talk"IMI Security Summit
 * November 25,"Using nessus in web application assessments" Mr. Paul Asadoorian, Security product evangelist/technologist Tenable Security
 * December 8,"Mobile Phone Threats and Defenses" Mr. Syed Rahat, Technology Information Security Officer, Citigroup NA

November Meeting

 * What: Virtual Patching for Web Applications: Theory and Practice Ryan Barnett, Director of Application Security Research, Breach Security Inc
 * Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes. This presentation will outline exactly when and where Virtual Patching is appropriate and will show the proper steps for their creation and testing.

October Meeting

 *  Threat analysis as methodology for deriving risk-based security tests of web application software Marco Morana OWASP Chapter Lead (presented at 2009 IMI Security Symposium & Expo)
 * The presentationcan be downloaded from here 
 * The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis. The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics. Often companies use security tests for meeting compliance requirements such as PCI-DSS, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations today it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities. From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.

September Meeting

 * The rise of threat analysis and the fall of compliance in mitigating cybercrime risks Marco Morana OWASP Chapter Lead (also presented to OWASP LA and Orange County Chapters)
 * On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of these data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure. It is shown as monetizing the loss due to data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure. The effectiveness of traditional compliance-driven security assessments efforts is compared with a threat analysis approach and it is demonstrated how cybercrime risks can be mitigated by understanding threat scenarios through cyber-intelligence: cases of publicly reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. The attacker motives and the means to achieve them will be analyzed by using attack trees:a attack tress allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, mitigation strategies against cybercrime attacks will be discussed as self-awareness questions. The presentation re-affirms that compliance needs to be approached as factor of business risk and needs to consider threat risk modeling and application threat modeling as critical assessments to mitigate cybercrime risks to web applications.

August Meeting

 * OWASP T10 For Web Services  Marco Morana OWASP Chapter Lead
 * The presentation is available herein
 * Following the video presentation from Gunnar Peterson talk at OWASP USA NYC 08 AppSec Conference a summary of OWASP T10 Vulnerabilities for Web Services is highlighted as well as the recommended countermeasures. Discussion points around Web Services security were proposed for discussion as well further reference to OWASP Web Services Security resources.

July Meeting

 * An Empirical Study of Web Application Security Trends  Dr. James Walden Assistant Professor Department of Computer Science Northern Kentucky University
 * What is the current state of web application security? Are web applications more or less secure than they were last year?  This presentation will attempt to answer those questions through an empirical study of popular open source web applications over the past two years.  Data and statistics on vulnerability density, vulnerability types, and vulnerability severity will be analyzed, along with software metrics that may reflect application security.

June Meeting

 * The Web Hacking Incidents Database (WHID) – 2009 Analysis  Ryan Barnett -Breach Security Inc

Meeting Sponsor https://www.owasp.org/images/9/9c/Breach_logo.gif


 * The presentation is available herein
 * The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This presentation will highlight the statistics gathered from the 1st half of 2009 (January – June) and provide insight into categories such as: 1) Top Attack Methods, 2) Top Compromise Outcomes, 3) Top Target Geographic Region, 4) Top Vertical Markets Hit. The presenter will also provide some in-depth analysis for emerging threats/attack techniques such as planting of malware on websites and reflected cross-site scripting through sql injection.

May Meeting

 * OWASP T10 Vulnerabilities and Security Design Flaws Root Causes  Marco Morana OWASP Chapter Lead
 * The presentation is available herein.
 * The fact that security flaws are still so pervasive in web applications today highlights the need to identify and fix them by looking at the root causes in the application architecture. This presentation will look at OWASP T10 vulnerabilities from the perspective of root causes in design and provide examples on how these vulnerabilities can be identified in a threat model and mitigated at different layers of the application architecture. Strategic and tactical approaches to the OWASP T10 will be discussed. The strategic approach will cover concepts and principles of security by design such as secure architecture principles and requirements for designing security controls. The OWASP Application Threat Modeling process is provided as reference even if not discussed with this presentation.

April Meeting

 * April 28th Presentation: Bad Cocktail: Application Security Flaws + Targeted Phishing  Rohyt Belani is CEO and co-founder of  Intrepidus Group
 * The presentation is available herein.
 * Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies...and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a "hackers" repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result - hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.

March Meeting

 * March 24th Presentation: Application Testing Methods and Modern Threats  Presenter: Mark Maxey Principal Consultant – Application Specialist – Accuvant, Inc
 * Walk through the state of the available tools and around finding vulnerabilities, and tie the discussion into PCI DSS

January Meeting

 * Threat Analysis and Modeling  Russell McMahon, associate professor of IT at the College of Applied Science, University of Cincinnati.
 * Security is a big issue and all too often it is only thought of as it applies to the network administrator. However, programmers face a host of threats to their applications. The solution is to build a threat model. The purpose of a threat model is to aid in identifying potential threats before a system is built, not after. This talk will cover some of the common threats to applications and how to prevent them. This talk is based upon Microsoft's Threat Analysis and Modeling (TAM) tool and their newest version which is now part of their Security Development Lifecycle (SDL). This tool has been used by companies such as Ford and Boeing as a part of their total information life cycle process. Additional resources will also be discussed.

November Meeting

 * Web App Hacking for Developers Jeremiah Blatz, Senior Security Consultant, Foundstone Professional Services
 * The presentation is available herein.
 * How safe are your web applications? You'll think twice after seeing how Foundstone security experts dig into their hacker's toolbox and rip open web applications by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery. Even if you've seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Countermeasures to prevent mistakes will then be shared.

October Meeting

 * Phishing: Trends and Countermeasures Blaine Wilson, Information Security Architect, Great American Insurance Group
 * The presentation is available herein.
 * The presentation covered the current trends in phishing and how to establish countermeasures both from an infrastructure perspective, an application development perspective and the user awareness training.

September Meeting

 * Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana (TISO Citigroup) & Scott Nusbaum (Security Analyst Citigroup)
 * The presentation is available herein.


 * Input validation vulnerabilities in web applications can be exploited with attack vectors to cause business impacts such as information disclosure, data alteration and destruction, denial or degradation of service, financial loss fraud and reputation brand damage. Several web applications today have implemented filtering techniques to block such attack vectors; unfortunately such filtering techniques are seldom based on black lists that fail when attackers use filter evasion techniques such as single and double encoding. This presentation will cover the basic understanding of attack vectors, the malicious payloads that can be carried out and the techniques used by attackers to evade input validation filters. Lists of different variations of encoded XSS attack vectors and constructed SQL injection vectors will be presented. From the defensive perspective, these lists can be used as cheat sheets for testing the efficacy of the input filtering techniques. A demonstration of a sample implementation of effective input validation using J2EE struts framework is also presented. During the presentation, web application developers and architects will be introduced to the concepts of canonicalization, encoding and sanitization and guided on the most effective input validation strategies and techniques as well as on the best use of available input validation resources from OWASP.

August Meeting

 * The OWASP Enterprise Security API (ESAPI) Joe Combs, Staff Consultant, SEI-Cincinnati LLC
 * The presentation is available herein.


 * Security controls are central to developing secure applications, yet few development teams code them properly (if they code them at all!). The OWASP Enterprise Security API (ESAPI) provides a set of well defined interfaces for doing security "right" within your application and provides a reference implementation of these interfaces.  ESAPI handles difficult tasks such as validation, encoding, encryption, and more.  This presentation will provide a guided tour of ESAPI capabilities and recommended usage to combat the most pernicious vulnerabilities.

July Meeting

 * Building Security Into Applications - Marco M. Morana, TISO Citigroup 
 * The presentation is available herein.


 * What is the best way to start a software security initiative within your organization? First you need to present the business case to the management in terms of costs, threats and root causes. Subsequently you need to provide a roadmap. The first step of the roadmap is to evaluate the maturity of secure software development processes, tools and training. The next step is to adopt a framework for software security activities, software development and risk management processes: software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP are examples of security engineering frameworks that can be used. Software security activities such as threat modeling, secure code reviews and security testing work as checkpoints to validate software artifacts and manage software security risks. Finally data such as vulnerability metrics and process management metrics helps to manage and optimize the software security processes in the long term and show the effectiveness of the software security initiative to the organization.

June Meeting

 * SQl Injection - Dr. James Walden, Northern Kentucky University
 * The presentation is available herein.


 * Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

 * Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup
 * The presentation is available herein.


 * CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

 * The New Face of Cybercrime Movie Premiere And Follow Up Discussion.
 * Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

Meeting Sponsor http://www.owasp.org/images/4/4b/Fortify_1.jpg


 * The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

 * Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup
 * Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software.  Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.


 * An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup
 * Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.  The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

 * OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

 * Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
 * The presentation is available herein.


 * OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.


 * Webgoat and Webscarab Security Tools Use Cases - Blaine Wilson (Citigroup, TISO)


 * The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Board Members
Scope of the board is to discuss and approve local activities, meetings and plans.The board meets informally on the by-weekly basis every other Friday at 7.30 AM at Panera Bread in Blue Ash Directions

The board currently includes the following members:  
 * Chapter Leader: [mailto:marco.m.morana@gmail.com Marco Morana]
 * Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
 * Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
 * Chairman of the Board: [mailto:wayne.browning@citi.com H. Wayne Browning]
 * Public Relations: [mailto:aerickson@lucruminc.com Andy Erickson]

About OWASP
The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership
OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.