Bay Area

Local News
!!!PLEASE RSVP TO Anastasia Stamos (mailto:anastasia@isecpartners.com) AS THERE IS LIMITED SPACE!!!

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

WHAT: San Francisco OWASP Chapter Meeting and Mixer

WHEN: Thursday, January 25th, 2007 6:00-6:30  Social (Food and Drinks) and Chapter Announcements

6:30-8:00  Presentation I "XML Digital Signature and Encryption: Use and Abuse":  Brad Hill, iSEC Partners

8:00-8:15  Q and A

8:15-9:00  Presentation II: Patrick Stach, Stach and Liu

WHERE: iSEC Partners offices located @ 115 Sansome Street Suite 1005 (10th Floor), San Francisco, CA (http://www.isecpartners.com) We recommend arriving by public transit as parking is extremely limited.

WHY: To network, socialize and learn more about Web Application Security

WHO: Brian Christian, Chapter President, will give chapter details and Brad Hill of iSEC Partners will deliver the presentation "XML Digital Signature and Encryption: Use and Abuse".

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"XML Digital Signature and Encryption: Use and Abuse"

Abstract: The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Security Consultant - Brad Hill

Brad Hill is a Security Consultant with iSEC Partners. Brad Hill brings to iSEC a decade-plus background working with Internet technologies, including serving as the lead developer of Web applications and frameworks for one of the premier private label recordkeeping and management companies in the financial services industry, where his responsibilities also included security training, policy development and compliance. With iSEC he has performed penetration testing and design review for a wide spectrum of products and technologies, most recently participating in the Final Security Review of Microsoft Windows Vista. Brad achieved the Certified Information Systems Security Professional (CISSP) credential in 2004.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Presentation II

Abstract: This talk aims to outline a few commonly overlooked cryptographic vulnerabilities in web applications. The problems presented will range from attacks against authentication various authentication schemes to improper certificate generation.

Director of Research and Development- Patrick Stach

Patrick Stach is Director of Research and Development at Stach & Liu, a firm providing advanced IT security consulting to the Fortune 500 and multi-national financial institutions. Before founding Stach & Liu, Patrick aided in the development of multiple industry leading security scanning engines. In addition to providing security consulting services to Mitsui Zaibatsu, he has led the network security teams for a number of major hosting providers. Patrick has lectured on cryptanalysis at Kyoto University, taught as adjunct faculty at Network Associates' Japan Security Academy, and performs government-funded cryptanalysis. He is a developer of the Metasploit Framework and has presented at DefCon, Interz0ne, AtlantaCon, ToorCon, and PhreakNIC.