Cincinnati

Upcoming Calendar of Events
Since we started the chapter in 2008 we held a meeting every month. We currently have about 50 members enrolled in the mailing list and the attendance to the meeting has been very good.

Here is the coming calendar for our chapter presentations:

'June 24': SQL Injection: Dr. James Walden

July 29: Software Security Enhanced Process Models: Marco Morana

August 26: OWASP ESAPI: Joe Combs

September: CAPTCHA: TBD

October: Application Security Testing TBD

November: TBD TBD

We look for presenters/contributors for the coming TBD OWASP meetings. A presenter will receive a polo OWASP shirt and is entitled to be member of the local board. If you would like to present a topic, please submit your proposal in powerpoint format using the OWASP Template and include the speaker's BIO and send an email to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email to the chapter leader.

June Meeting
When: June 24th, 2008, TBD

Who: Dr. James Walden, Nothern Kentucky University James Walden is an Assistant Professor of Computer Science at Northern Kentucky University. He is the author of a number of papers on software security and has given talks and workshops on secure programming and software security at a variety of conferences. He teaches graduate and undergraduate classes in information and software security at NKU and offers regular software security workshops to professionals through NKU's Infrastructure Management Institute.

Dr. Walden received his Ph.D. from Carnegie Mellon University in 1997. He then worked at Intel as a software engineer, with a focus on security sensitive applications, for five years. Prior to coming to NKU, he was a Visiting Professor of Computer Science and Engineering at the University of Toledo.

What: SQL Injection Attacks, Vulnerabilities and Countermeasures The presentation is available [TBD].

Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

Where: Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537. Please access the building from the visitor lobby.  RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:marco.m.morana@gmail.com Marco Morana]. This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

May Meeting
When: May 27th, 2008, 12.15 PM presentation starts 12.30 PM

Who: Marco M. Morana, Technologist/Author, TISO Citigroup

What: Cross Site Request Forgery Vulnerability In Depth Dive In The presentation is available herein.

You will learn how CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

Where: Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537. Please access the building from the visitor lobby.  RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:marco.m.morana@gmail.com Marco Morana]. This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

April Meeting
Please Join us for the Fortify Premiere: The New Face of Cybercrime. This event is scheduled for April 22nd 5.30-7.30 PM at Citigroup, 9997 Carver Road, Blue Ash, Buckeyes Room. Fortify will sponsor a catering. Major Bruce C. Jenkins, (USAF, Ret.), Security Practice Director at Fortify Software, Inc. will introduce the presentation of the movie and conduct a post movie discussion. The event has been widely published to the Cincinnati Enqurier. OWASP local supporter, Andy Erickson also hosted a podcast on the event on his blog and offerred to gather comments on the event. If you have not done yet, please RSVP by registering to the event through the link herein:

March Meeting
When: March 25th, 2008, 6.15 PM presentation starts 6.30 PM Where: Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537. Please access the building from the visitor lobby.  RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson]. This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

Session Topics:

Source Code Reviews and Open Source Static Analysis Tools

Presented by: Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

An Introduction to Web Proxies

Presented by:Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting
Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective

Who: Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger) The presentation is available herein.

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting
When: January 29th, 2008, 11:30am - 1:00pm

General Session Topic: Introduction to OWASP

Who: Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger) The presentation is available herein.

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide. The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases

Who: Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

Cincinnati OWASP Chapter Leaders
 Officers 
 * Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
 * Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
 * Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
 * Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
 * Local PR: [mailto:aerickson@lucruminc.com Andy Erickson]

About OWASP

 * How OWASP Works for more information about projects and governance

OWASP News

 * OWASP Application Security News