Los Angeles/2012 Meetings

December 19 2012, Daily Grill - Downtown LA

Final OWASP Meeting of 2012, Just Before the End of the World 

Network with your OWASP peers as we celebrate the last days on earth, according to the Mayan calendar. Or, if you are a non-believer, share good stories and research with the most enlightened group of web security folks west of the Mississippi. Operators are standing by.

November 28 2012, Symantec Offices, Culver City

WCF Security – Securing your Service Oriented Architecture

Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session, Adnan Masood will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.

This talk is focused on WCF security features with code demonstration to use behaviors and bindings toconfigure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.

Targeted towards solution architects and developers, this talk will provide you architectural guidanceregarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

Speaker: Adnan Masood

Adnan Masood works as a web architect / technical lead for a financial institution where he develops SOA based middle-tier architectures, distributed systems, and web-applications using Microsoft technologies. He is a Microsoft Certified Trainer holding several technical certifications, including MCPD (Enterprise Developer), MCSD .NET, and SCJP-II. Adnan is attributed and published in print media and on the Web; he also teaches Windows Communication Foundation (WCF) courses at the University of California at San Diego and regularly presents at local code camps and user groups. He is actively involved in the .NET community as cofounder and president of the of San Gabriel Valley .NET Developersgroup.

Adnan holds a Master’s degree in Computer Science; he is currently a doctoral student working towards PhD in Machine Learning; specifically discovering interestingness measures in outliers using Bayesian Belief Networks. He also holds systems architecture certification from MIT and SOA Smarts certification from Carnegie Melon University.

October 29 2012, Symantec Offices, Culver City

Carpe Datum: Drinking from the espresso firehose we know as Shodan

Have you ever stayed up until 5am fiendishly digging around on shodan? I have. More times than I care to admit. I’m starting to find patterns. Shodan is genius. It’s a glorious search engine that catalogs the banners from TCP connections on several ports – for the entire IPV4 internet. This makes for some bodacious late night reading. The findings, on the other hand, are in a lot of cases most heinous. SCADA, Power company networks and controls, thousands of webcams, weed growrooms, .gov/.mil border routers and sharepoint systems. It’s a little overwhelming. I decided to sift it all through a strainer to make it easier to take in. So I wrote a scraper script and a viewer to better parse the results! Come with me on an excellent adventure – but without Bill or Ted – more like the haunted mansion ride, except all the ghosts and spooks are systems or cameras left wide open on the internet. Did you know you could telnet into hydrogen fuel cells? Neither did I!

Speaker: Dan Tentler

September 19 2012, Special Dinner Meeting with Los Angeles Chapters: OWASP, ISSA, ISC2 and CSA

Why Software Still Stinks; Conclusions from a Decade of Research

Insecure software applications are the biggest threat to data breaches & the source of over 90% of all security vulnerabilities according to NIST. Software security tools & training have been available for years. So why do most organizations still produce insecure code? This session discusses a 10-year research study and an Application Security Maturity Model that documents how organizations mature over time and why so many application security initiatives fail.

Speaker: Ed Adams

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. He is a Ponemon Institute Fellow and founded the Application Security Industry Consortium, Inc. (AppSIC), a non-profit association established to define cross-industry application security metrics and best practices. He sits on the board of the Massachusetts North Shore Technology Council (NSTC), National Association of Information Security Groups (NAISG), and the International Secure Software Engineering Council (ISSECO).

August 1 2012, Symantec Offices, Culver City

This will be about Black Hat/DEFCON recap.

June 27, 2012, Symantec Offices, Culver City

Flame Malware

The discovery of the Flame malware that targets Middle Eastern countries, predominantly Iran, has brought politically motivated threats into the spot light again. In this talk I will discuss the Flame malware and contrast it with other politically motivated threats we have seen. I will discuss how Flame was discovered, what it is capable of and give updates on the latest analysis. In addition I will talk about the increasing use of cyber espionage and what that may mean for software developers. Flame is peculiar in that it was written with a combination of C++, Lua and sqlite. I will show how the threat uses these technologies and how that differs from the malware we see every day.

Speaker: Liam O Murchu

Liam O Murchu is a manager of Security Response at Symantec. He has appeared on CBS 60 Minutes about Stuxnet virus. He has also presented about Stuxnet at Los Angeles chapters of OWASP and ISSA. http://www.cbsnews.com/video/watch/?id=7400892n

'''May 23, 2012 at 6:45PM. Symantec Offices, Culver City'''

Data Mining a Mountain of Zero Day Vulnerabilities

Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. Which industries have the most secure and least secure code? What types of mistakes do developers make most often? Which languages and platforms have the apps with the most vulnerabilities? Should you be most worried of internally built apps, open source, commercial software, or outsourcers? These questions and many more will be answered as we tunnel through zero day mountain.

Speaker: Chris Wysopal

Chris Wysopal, Veracode’s CTO and Co-Founder, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is an author of L0phtCrack and netcat for Windows. He is the lead author of “The Art of Software Security Testing” published by Addison-Wesley.