Toronto

The mailing list archive can be accessed from here.

Upcoming Sessions
Date/Time: February 16, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Secure Programming with Static Analysis

Please join us at our next OWASP Toronto chapter event, where our guest speaker, Paul Kitor from HP Enterprise, will be sharing his thoughts on Secure Programming with Static Analysis.

Speaker: Paul Kitor

Paul Kitor, CISSP is a Senior Solution Architect focused on Fortify technologies within the Enterprise Security Products business unit at HP. In this role, Mr. Kitor acts as the primary technical advisor to develop and position a broad range of Application Security solutions with customers. In his responsibilities, Paul provides technical leadership and technical depth concerning HP Fortify solutions. He works closely with customers and partners in assisting them meet their strategic Application Security initiatives and also provides thought leadership and insight regarding the ever changing global threat landscape. He possesses 20+ years of Information Security experience in the areas of Application Architecture, Java/C/C++ Development, Agile SDLC, and Application Security. Prior to joining HP Canada, Paul worked as a Solution Architect at Oracle, BEA Systems, and Borland Software he also lead Java development teams at Airmiles.ca and Points.com.

Abstract:

Developing software securely is a very challenging task. Using a combination of theory, practice and technology gives you the best chance of success. This talk will introduce (for those practitioners among us – review) the theory, practices and technologies that comprise Static Analysis.


 * The Software Security Problem
 * Static Analysis
 * Introduction
 * As Part of the Code Review Process
 * Internals
 * Pervasive Problems
 * Handling Input
 * Buffer Overflow
 * Bride of Buffer Overflow
 * Errors and Exceptions

Previous Presentations
Date/Time: July 20, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: OWASP Top 10

''We invite you to join us at our next chapter event, where panelists will discuss one of OWASP's flagship projects, the OWASP Top 10 application security flaws. The discussion will include:''


 * Roundtable on select items on the OWASP Top 10 (e.g. injection flaws, security misconfigurations, CSRF, etc.)
 * Thoughts on candidates for the 2016/2017 release of the OWASP Top 10 (e.g. what should be added? what should be removed?)

Come prepared to learn, discuss, share and ask questions!

Date/Time: June 8, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: Day in the Life of An Application Security Professional

''We invite you to join us at our next OWASP Toronto chapter meeting, where panelists will discuss their day-to-day life as an application security professional, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!''

Panelists:


 * Steve Gienuisz, Software Security Specialist, BMO Financial Group
 * Ramanan Sivaranjan, Director of Engineering, Security Compass
 * Yuk Fai Chan, OWASP Toronto Chapter
 * Tej Gandhi, Information Security Compliance Specialist, Engage People Inc.

Date/Time: January 20, 2016, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker: Michael Bennet

''Lead DDoS Strike Developer, Security Compass

Is your Application DDoS Ready?

Common issues that leave your application DDoS defences vulnerable

More and more DDoS attacks are targeting the Application Layer in order to knock your sites and services offline. These attacks need far less horsepower to drive results and often target weaknesses in an application and its defences in order to be effective. While there are solutions available to protect your application, they can only do so much and often are misconfigured for an application. In this presentation I’ll talk about common misconfigurations that we come across during our DDoS testing, as well as some web application design considerations that help some DDoS defences to be more effective.

Date/Time: November 18, 2015, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Python Security

Speaker: Enrico Branca 

Enrico Branca is an experienced researcher with specialist knowledge in Cyber Security. He has been working in Information Security for over a decade with experience in Software Security, Information Security Management, and Cyber Security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, and Microsoft Security Specialist. He is always looking for new and exciting opportunities.

Session Outline:

A deep dive into the security of the Python interpreter and its core libraries to discover how bad guys may attack it and how good guys can protect it, while providing examples and code snippets on how each goal may be achieved by any given party.

Enrico's presentation slides can be found here.

Date/Time: May 20, 2015, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: State of Application Security in 2015

We invite you to join us at our next OWASP Toronto chapter meeting, where a panel of industry professionals will discuss the state of application security in 2015. Panelists will share their point of view on a number of topics, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!


 * 1) Appsec Wishlist: "If I could have one thing improved in application security in 2015, it would be ..."
 * 2) Appsec Defenders: Offensive Security is obviously thriving, but how are the Defenders doing? Has there been improvement? There are plenty of blackhat/red team rock stars, but are we giving enough credit to the blue teams?
 * 3) Appsec Tools: Which application security tools are doing the job right? Which ones can be further improved?
 * 4) Evolution of Application Security Assessments: How will the industry effect a sea change in attitude towards assessing software for security issues? The tunnel-vision model (i.e., black-box only, source code review only, configuration review only) is deficient, and the best approach is to overlap as many techniques as possible. Time-boxed approaches compound the problem, and with the increasing proliferation and complexity of applications in any given organization, scaling assessment services to all targets is bottlenecked.
 * 5) Appsec Talent: There are too few skilled/trained information security professionals, and too much work to do. Scaling up to meet the demand can only partially be managed through automation. Where will the next wave of reliable security professionals come from? Is training for information security skills too expensive in the age Code School? Is North Armerica in need of a CREST-like certification to establish a baseline level of coverage by a practitioner?

Panelists

Ehsan Foroughi, Security Compass

Manish Khera, RBC

Gonzalo Nunez, Deloitte

Ann-Marie Westgate, eHealth Ontario

Date/Time: September 10, 2014, 6:30 - 8:30 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker:

Ryan Berg

Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard Technologies in 2000. In the late 1990's, Ryan also designed and developed the infrastructure for GTE Internetworking/Genuity's appliance-based managed security services.

Session Outline:

''[https://www.owasp.org/images/e/ee/OWASP_TORONTO_SEP_2014_Ryan_Berg.pdf What's Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees]''

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check. Join Ryan Berg as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risks. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

Date/Time: July 16, 2014, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP at yuk.fai.chan@owasp.org to confirm your presence.

Speaker:

Dr. Mark Shtern, CISSP, Postdoctoral Fellow at York University

Session Outline:

DDoS Attacks and Mitigation in Cloud Environments

Distributed Denial of Service (DDoS) attacks are negatively impacting a broad spectrum of industries as they are increasing in number, sophistication, and cost. Researchers have noted that, when simple DDoS attacks fail, the attackers take aim at the application layer and these attacks become more prevalent. For example, in the first quarter of 2012, Layer 7/Application layer attacks increased by 25% compared to the year before. In the third quarter of 2013, the total number of layer 7 attacks increased by 101% compared to 2012. As a result, application layer attacks have been a growing concern for information technology security specialists.

I will present an adaptive management mechanism, which can correctly scale applications, mitigate a DDoS attack, or both, based on an assessment of the business value of workload. I will talk about the Cloud Efficiency (CE) metric, a runtime metric that assesses how effectively an application uses software-defined infrastructure. This is a business-driven metric that can be leveraged to detect various resource-consumption attacks on applications, including cost-of-service and low-and-slow DDoS attacks.

Date/Time: April 23rd, 2014, 5:30 - 7:30 PM EDT

Location: Telus Tower, 25 York, 3rd Floor

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

'''Heartbleed! or Heart Bleed!'''

Heartbleed

Heartbleed! or Heart Bleed! The logo, the media coverage, the virus (no wait, it's not a virus); reverse Heartbleed and client Heartbleed (the transfusion) - a tale of failure to validate inputs, trusting user-provided input and coding around good security. You've read the book! Seen the movie! Now see the live puppet show*. (*puppets not included, please bring your own batteries too).

Speaker: Ben Sapiro

Ben works for KPMG where he advises people on Cyber Security (we're not entirely sure what that is yet either but we hear it's the 'new infosec' which is the 'new orange' which is the 'new black'). He's also the founder of OpenCERT, a BSidesTO organizer, LiquidMatrix Podcaster, SECTOR Fail Panelist and occasional writer of things (which sometimes includes horrible code and bad prose). With 15 years in the biz, Ben's hoping for parole soon; otherwise is going to have to find something else to do in infosec/cybersec besides product management, SecSDLC, consulting, insulting, and CISO'ing. Ben has advised a whole bunch of confidential clients on AppSec and Secure SDLC, but two he _can_ talk about (when reliving the glory days) are Sybase and Motorola.

Date/Time: December 3rd, 2013, 6:00 - 7:30 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

OWASP ASVS OWASP: Introducing ASVS 2013

Since the last release of the OWASP Application Security Verification Standard (ASVS) Project in 2009, significant improvements have been made, including but not limited to:

1. Content updates to add new relevant content and clarify existing content

2. Document segregation

3. Case studies

4. Mapping to other relevant standards

In this presentation, we will walk through the major changes that we believe will increase adoption of the standard in industry.

Presenter: Sahba Kazerooni

Sahba Kazerooni manages Security Compass's internationally renowned consultants on cutting-edge consulting and training engagements across North America and around the world. His personal skillset ranges from hands-on assessments in application penetration testing, threat modeling, and source code review, to security advisory and technical training. Sahba has an advanced knowledge of the Software Development Life Cycle (SDLC) as well as the intricacies of the Java programming language. He is an internationally renowned speaker on software security topics, having delivered presentations at reputable security conferences around the world and having been recognized as an expert in application security by publications such as IT World Canada and the Information Security Media Group.

Date/Time: July 10, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to patrick.szeto@owasp.org or yuk.fai.chan@owasp.org to confirm your presence.

OWASP: Beyond the Top 10

OWASP: Beyond the Top 10

Presenter: Andre Rochefort, TELUS

Join us as we take a guided tour through some of OWASPs lesser-known projects -- present and future. For students and new entrants to the application security profession, get practical advice on options for building and honing your skills. Developers and administrators alike might benefit from an overview of OWASPs projects for secure SDLC, source code review, and vulnerability assessment and mitigation. The seasoned professionals can engage in a lively discussion and critique of OWASP projects in the pipeline, and how the community as a whole is tackling security for the web, mobile, and beyond. An OWASP session featuring a buffet of OWASP offerings and a potluck of alternatives and enhancements.

Your host for this session is Andre Rochefort, an infosec veteran and lifelong computer geek. As a developer, a security auditor, and a loudmouth conference heckler, Andre offers a wealth of experience and anecdotes, with a generous helping of opinion. His day-to-day activities at TELUS include source code analysis, vulnerability assessments and penetration tests, with a heavy focus on web and mobile application security.

Date/Time: May 8th, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Secure Code Review

Security Code Review

Presenter: Sherif Koussa

Secure Code Review is the best approach to uncover the largest number ofsecurity flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application "SecureTickers" pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (http://pmd.sourceforge.net/), the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun!

Date/Time: March 20th, 2013, 6:30 - 8:30 PM EST

Location: PwC Tower, 18 York Street, Suite 2600, Toronto ON M5J 0B2

''Due to fire and building regulations, there is a maximum occupancy allowed in the venue, so if you would like to attend it is very important that you RSVP at yuk.fai.chan@owasp.org to confirm your presence!

NFC Threat Landscape

Presenter: Geoff Vaughan, Security Compass

Near Field Communication is on pace to be one of the most explosive technologies in North America for 2013. Over 2012 we’ve seen a number of industry steps to making this a reality. Nearly all phone makers are putting NFC into all new phones they develop. Over the last year we have also seen widespread adoption by a large number of financial institutions to put NFC into all their new credit cards and banking cards as well as many mobile payment systems now accepting the technology. At this point we need to take a step back and evaluate the implications of having NFC always enabled on a consumer phone and the implications of storing mobile payment data on an individuals phone. NFC technologies are intimately embedded into all core features of a smart phone and this presents a very large attack and vulnerability surface for an attacker to potentially exploit.

Wednesday, July 11th 2012, 6:30-8:00 PM EDT - ''Security Community Engagement

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: Mozilla is one of the most successful open source projects in existence, and has helped transform the way users and developers interact with the Internet. In the last few years there has been many new ways to use the Internet, including new competitors in the Browser market, mobile and desktop Apps, and a proliferation of platforms, APIs, and new technologies. Mozilla has a strong base of contributors to many areas, including Firefox, Thunderbird, our huge Add-On collection, and our support sites, but not many people know that Mozilla is also open to community engagement with our Security program as well! In this discussion I will explain how our Security program functions, and how and where we are looking for improved engagement and contribution from the community, and some of the benefits to contributing!

Speaker Bio:

Yvan Boily is an Application Security Manager with Mozilla Corporation, where he manages one of two application security teams focused on the security of Mozilla web properties and end-user applications.

Thursday, May 10th 2012, 6:30-8:00 PM EDT - ''Application Security ISO

'''Location: RBC Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: ISO/IEC 27034 - Part 1 was published in November 2011 and the remaining parts (Part 2-6) are expected to be published soon. What does this mean to your organization or your clients who wish to adopt or incorporate this ISO standard for their software application? This overview will walk through the key sections of standard and highlight the process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. We will also attempt to compare these key points against other industry guidelines to determine the overall intentions and objectives of the standard.

Speaker Bio: TAK CHIJIIIWA, CISSP, CSSLP

Tak Chijiiwa has over 12 years of IT security experience. Tak has been involved in a wide spectrum of information security strategy and advisory engagements for various Fortune 500 clients globally in the healthcare, financial, education, utilities, transportation and government sector. Prior to joining Security Compass, Tak worked at Deloitte & Touche, LLP as a Manager of the Vulnerability Management team in Toronto, Ontario for 6 years and at Kasten Chase Applied Research as a Development Manager in Mississauga, Ontario for 4 years.

Wednesday, September 14th 2011, 6:30-8:00 PM EDT  - ''Introducing Vega, a New Open Source Web Vulnerability Scanner

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to owasp-rsvp@securitycompass.com to confirm you attendance.

Description: David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

Speaker bio: David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal.

Wednesday, May 11th 2011, 5:00-6:00 PM  - Mobile Security for the Forgetful

Location: Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yukfai at securitycompass dotcom

Description: You’ve accidentally misplaced your company or personal mobile phone in a public location. In this scenario, what threats do you and/or your organization face?

This talk will be about the worst case scenario in mobile security: when the attacker has physical access to the phone. According to DataLossDB, about 1/5 of all data breaches they have recorded are due to lost or stolen laptops. Phones are much easier to lose (or steal) then laptops, and these days the data on our phones can be as confidential as the data on our laptops.

This talk will go over physical access attacks from an attacker’s perspective, discuss ways of coding mobile applications to defend against these kinds of attacks, and discuss some ways of securing our phones as users. Technical details in this talk will focus on the Android platform.

Length: 60 minutes

Speaker Bio: Max Veytsman is a Security Consultant with Security Compass. He specializes in web and mobile security assessments. Max also leads Security Compass' training development in the mobile space. Max studied Computer Science at the University of Toronto. His interests include cryptography, programming language design, and computer vision.

Wednesday, February 16th, 6:00 PM- How Auditors Certify Computer Systems – A Look at Third Party, Non-Vendor, Legally Mandated System Certifications

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description:“Certifications” abound in the world of IT – from signoffs by internal security professionals to the advertising claims of vendors, but few, if any of these, have true legal standing. As a consequence, customers and clients of organizations which process sensitive transactions or retain confidential data are increasingly demanding third party, non-vendor, legally mandated system certification as a pre-requisite to doing business.

•	What are these certifications and who can issue them?

•	Under what circumstances are certifications likely to be required?

•	What standards do certifiers use – and does it matter?

•	What information and evidence do auditors need in order to complete their work?

•	How can information systems professionals prepare for a certification audit and ensure that the process is ultimately successful?

Our speaker, Jerrard Gaertner, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, I.S.P., ITCP, CIA, CFI, Director of Technology Assurance Services at Soberman LLP, will address these and related questions based on his 25+ years as a systems auditor.

Wednesday, November 10th, 6:30 PM- Using Open Standards to Break the Vulnerability Wheel of Pain

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description: Ed is the Chief Information Security Officer responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business. With over 18 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, serves on the advisory board to the Society of Payment Security Professionals as well as its Application Security Working Group. Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as BlackHat, Metricon, CSO, OWASP, The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association. Additionally Ed is a contributing author to the O’Reilly book Beautiful Security.

 Meetings November 5th, 2009 (THURSDAY)

Location: 285 Victoria Street, 3rd Floor (Room number VIC306) NEW Location.

Date/Time: : November 5th, 2009, 6:00-7:30 PM EST (THURSDAY)

Title: Software Assurance Maturity Model

Speaker: Pravir Chandra, Fortify Software

Description:Software Assurance Maturity Model (OpenSAMM) The Software Assurance Maturity Model (SAMM) into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/

Bio:  Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

 Meetings August 19th, 2009 

Location: 285 Victoria Street, 4th Floor (Room number VIC405) NEW Location.

Date/Time: August 19th, 2009, 6:00-7:30 PM EST

Title: Will you be PCI DSS Compliant by September 2010?

Speaker: Michael D’Sa, Visa Canada

Description and Bio:  At this informative session, Michael D'Sa, Visa Canada's Senior Manager of Data Security and Investigations will talk to you about PCI DSS compliance within the Canadian marketplace. Michael will present the emerging data compromise trends, and will review the Canadian deadlines and mandates for Visa merchants. Michael D’Sa is the Senior Manager responsible for Data Security and Investigations at Visa Canada. Working at Visa Canada for over 14 years, Mr. D’Sa is currently in the Payment System Risk group. His responsibilities include managing the Account Information Security program, managing Data Compromise incidents, and supporting Visa banks on fraud investigations. Mr. D’Sa also acts as the primary liaison for Law Enforcement on Visa related fraud matters.

 Meetings May 13th, 2009 

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: May 13th, 2009, 6:45-8:00 PM EST

Title: Cross Site AJAX Hacking

Description: The era of AJAX technologies has only been possible after XMLHttpRequest released its full potential. But XMLHttpRequest has had a number of security concerns, in particular due to its ability to create flexible requests against web sites without the users knowledge. Up to now, the same origin policy limited the impact of this issue.

The Web 2.0 vision calls for the flexible use and rendering of information in mash-ups created by mixing content from various sources on the fly. This idea is not easily implemented in Javascript due to same origin restrictions. In order to allow for these features, XHR Level 2 and XDR have been developed to remove the same origin policy and allow the ability to request information from various sites. Current browsers make these functions available to developers and you will soon find sites that require them. The presentation will provide information on the mechanics of these cross site AJAX calls and their security impact.

As an add-on to the discussion - It has been a year since Johannes Ullrich have given a talk on Dshield Web App honeypot project. I will provide a small update on the progress of this project. It's a low key project but you may be amazed at what we are doing.

Presenter: Jason Lam

BIO:Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute where he writes courses on pentesting and defending web applications. In his ever diminishing free time, he helps with the SANS Internet Storm Center as an incident handler. He took on the role to be a leader for the Dshield honeypot project where logs from web honeypot all over the world are collected and analyzed.

 Meetings April 8th 2009 

 Wednesday April 8th 2009, 6:00-8:00 PM EST  at D&T, 4-179B, 121 King Street West, Toronto.

 Topic:  A Laugh RIAt – Rich Internet Application Security

 Speaker:  Rafal M. Los

 Description:  Rich Internet Applications [RIA] are popping up everywhere! Enterprises and boutique online shops alike are rushing to adopt these technologies without really thinking of the implications of moving pseudo-server functionality to the user’s desktop and browser. Hacking these applications has now moved from the challenge of compromising the server, to the significantly smaller challenge of compromising the client. You’ll be able to witness (and try!) first-hand how to manipulate an AJAX-rich web application you or your colleagues probably use many times; as well as see and understand how breaking down a Flash binary object (SWF file) isn’t difficult. These types of applications are now treasure-troves of goodies… don’t miss out on the simple ways you can security test these technologies on your desktop today!

 Future Talks:   May: </B> Douglas Simpson, Cenzic  Jun: </B> Jamie Gamble, Security Compass  Jul: </B> Jason Lam,  Aug: </B> Joe Bates  Sep: </B> Tyler Reguly, nCircle

We are looking for speakers, if you are interested in speaking on security topics please email [mailto:nish@securitycompass.com Nish Bhalla]

 Meetings November 13th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: November 13th 2008, 6:00-7:30 PM EST

Title: Web Application Security and the PA-DSS

Description: The Payment Card Industry's (PCI) Payment Application Data Security Standards (PA-DSS) version 1.1 was released in April 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed “as is”. This discussion will provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Whether you are a web application developer, tester, vendor or just interested in PCI and Payment Applications, this talk will have a message for you.

Presenter: A M Westgate M.Sc., B.Ed., CISSP, QSA, PA-QSA

BIO: A M brings a range of experience as a security systems analyst, a software engineer and as an information security instructor. She has participated in PCI Compliance engagements and PCI gap assessments. In addition, she has been the primary consultant on PA-DSS Validation, PA gap assessments and remediation engagements. A M has over 5 years experience in security software engineering, and has worked in Canada, USA, Ireland and England. She is a confident speaker, and a part time instructor of the CISSP preparation course in the continuing education department at a local university.

 Meetings August 14th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> August 14th 2008, 6:00-7:30 PM EST

Title:</B> An Introduction To Reverse Engineering Malware

Session Abstract:</B> This talk will cover the basics of setting up an environment to reverse engineer malware, and an introduction to some tools and techniques that can be used to determine what exactly that bit of unknown, potentially hostile code does. While this is an introductory talk, we'll definitely cover more than "run strings on the binary and see what you get!"

Presenters:</B> Seth Hardy, MessageLabs Inc.

BIO:</B> Seth Hardy recently moved to Toronto to do reverse engineering work for MessageLabs, as part of their antivirus research and response group. Before that, he worked mostly in the areas of vulnerability research and cryptography. In his spare time, Seth likes to work on community-building projects both online and off. He currently holds the GIAC GREM certification, and should have the CISSP before this presentation; if not, feel free to mock him mercilessly for it.

 Meetings July 16th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> July 16th 2008, 6:00-7:30 PM EST

Title:</B> Business Logic Flaws

Session Abstract:</B> How they put your Websites at Risk Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can't identify them, IDS can't detect them, and Web application firewalls can't defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.The presentation will provide real-world examples of how pernicious and dangerous business logic flaws are to the security of a website. We'll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

<B>Presenters:</B> Trey Ford, Director, Solutions Architecture, WhiteHat Security, Inc.

<B>BIO:</B> Trey Ford is the Director of Solutions Architecture at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website security programs. Mr. Ford also spearheads WhiteHat's participation in the PCI Standards Council and assists customers in selecting WhiteHat services for compliance with the PCI Data Security Standard. In addition, Mr. Ford is a frequent speaker at industry events. Prior to WhiteHat, he was the Compliance Practice Lead at FishNet Security, an information security services provider based in Kansas City. Mr. Ford also founded and operated, Eclectix, a technology consultancy. He is a certified information system security professional (CISSP), a Microsoft Certified Systems Engineer, a Cisco Certified Networking Associate (CCNA), and a Payment Card Industry Qualified Data Security Professional.

 Meetings June 18th 2008 

Location: The next chapter meeting will be held on June 18th June at D&T, 4-179B, 121 King Street West, Toronto.

Date/Time: June 18th 2008, 6:00-7:30 PM EST

Description: Testing for certain web application vulnerabilities is tedious and time-consuming, and when combined with time constraints, full testing coverage is often not achieved. ExploitMe is a series of Open Source Firefox plugins released by Security Compass for this purpose - automated detection of XSS, SQL Injection, and access control (including the recently released HTTP verb tampering) vulnerabilities.

In this presentation Tom Aratyn and Sahba Kazerooni of Security Compass will demonstrate how the Exploit-Me series of tools can be used during penetration testing to find security vulnerabilities in real web applications.

Presenters: Tom Aratyn (Developer ExploitMe Series), Sahba Kazerooni (Security Consultant, Security Compass) [[Link title]]

 May 13th 2008 Meeting  The next chapter meeting will be held on May 13th at a <B>Different Location</B> Delta Meadowvale Resort & Conference Center, 6750 Mississauga Road, Mississauga, ON CA, Phone: 905-821-1981 Directions to the meetings

<B>Topic: </B> A Distributed Web Application Honeypot <B>Date/Time:</B> May 13th 2008, 6:00-7:00 PM EST <B>Description:</B> DShield.org has been extremely helpful in understanding network based attacks. However, over the last few years many interesting attacks target specific web application flaws which are not detected by DShield's sensor system. Collecting similar data for web applications has been challenging for a number of reasons. First of all, the data needed to understand a web application attack is much richer and a simple efficient data model as the one used by DShield will not provide sufficient details. If more detailed data, like complete requests, are collected, data privacy issues become more of a problem. Simple obfuscation or pattern replacement techniques are usually not sufficient to safeguard this information, or they will make it impossible to understand the attack. Lastly, many web application attacks use search engines to find vulnerable systems, instead of just attacking random servers. Over the next few months we plan to roll out a distributed web application honeypot. We will describe how this honeypot will be implemented to address these issues.

<B>Speaker BIO: Dr. Johannes Ullrich</B> SANS Institute As Chief Research Officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in Physics from SUNY Albany and is located in Jacksonville FL.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

 22nd January 2008 Meeting 

The next chapter meeting will be held on Jan 22nd at <B>20the floor, 79 Wellington Street West, Toronto, ON M5K 1B9 </B>. Directions to the meetings

<B>Topic: </B>Modern Trends in Network Fingerprinting <B>Description:</B>

<B>Speaker BIO:</B> Jay Graver and Ryan Poppa are Lead Engineers at nCircle Network Security. They specialize in interrogating Applications and Services over the network. Their years of experience have been focused on the non invasive detection of vulnerabilities.

Current Areas of research include; HTTP server analysis, graph theory, SSL library fingerprinting and unobfuscation techniques.

Based in Toronto Ontario, they hold degrees from University of Guelph and the University of Waterloo. You can find their latest posts at blog.glaciertech.ca & numerophobe.com

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Sponsorship
We always welcome sponsors for our chapter meetings. If you are interested, please contact [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan]

Speakers
We are always looking for speakers to present on their topic of choice. If you are interested please contact [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan]

OWASP Toronto Chapter Committee
The current chapter leaders are [mailto:nish@securitycompass.com Nish Bhalla] and [mailto:andre.rochefort@owasp.org Andre Rochefort] and [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan].

Meetings
Everyone is welcome to join us at our chapter meetings. These meetings are held every Second Wednesday of the month. Beverages and snacks are provided.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Past Presentations For Download
The past presentations are available for download from here. If you have any comments on the presentations please send them to us.

Basic Web Application Testing Methodology by Nish Bhalla Security Compass

Basic Web Services Security by Rohit Sethi Security Compass

Authentication Security by Hui Zhu

Identity Management Basics by Derek Browne

by Trey Ford

A Laugh RIAt – Rich Internet Application Security by Rafal M. Los

[http://www.owasp.org/images/1/18/MichaelDSa-OWASP_Aug_09.pdf Will you be PCI DSS Compliant by September 2010? ] by Michael D'Sa

Mobile Security for the Forgetful by Max Veytsman, Security Compass, May 2011

Application Security ISO by Tak Chijiwa, Security Compass, May 2012

NFC Threat Landscape by Geoff Vaughan, Security Compass, March 2013

Security Code Review by Sherif Koussa, OWASP Ottawa Chapter Leader, May 2013

OWASP: Beyond the Top 10 by Andre Rochefort, TELUS, July 2013

Heartbleed by Ben Sapiro, April 2014

DDoS Attacks and Mitigation in Cloud Environments by Mark Shtern, July 2014

[https://www.owasp.org/images/e/ee/OWASP_TORONTO_SEP_2014_Ryan_Berg.pdf What's Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees] by Ryan Berg, Sonatype, September 2014