Austin

Austin OWASP Ning Site

Chapter Meetings
When: May 20, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by BlueCoat)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

When: May 25, 2010, 11:30am - 1:00pm

Topic:  Javascript Hijacking

This attack is an offshoot of Cross-Site Request Forgery (CSRF) and is common when AJAX is involved. It was well publicized in 2007 when the gmail contact list was found by Jeremiah Grossman to be vulnerable to it. This presentation will include a technical explanation of the attack, a demonstration, and a discussion.

Who: Ben Broussard (UT Austin)

Ben Broussard is a developer for the University of Texas at Austin with an academic background in mathematics, specifically cryptography. At UT he has translated and prioritized web application attacks in relation to the environment that the developers are working in. Ben is currently leading a web application security focused team of developers from different departments around campus.

Topic:  Attacking Intranets from the Web Using DNS Rebinding

Who: James Wickett (National Instruments)

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on the Austin OWASP Ning Site

Future Speakers and Events
April 27, 2010 - Automated vs. Manual Security: You can't filter The Stupid (@National Instruments)

May 20, 2010 - Austin Security Professionals Happy Hour (Sponsored by BlueCoat)

May 25, 2010 - Javascript Hijacking AND Attacking Intranets from the Web Using DNS Rebinding (@ National Instruments)

June 17, 2010 - Austin Security Professionals Happy Hour (Sponsored by WhiteHat Security)

June 29, 2010 - AJAX Security (@ National Instruments)

July 15 2010 - Austin Security Professionals Happy Hour (Sponsored by Praetorian Group)

July 27, 2010 - Suggest a Topic (@ National Instruments)

August 12, 2010 - Austin Security Professionals Happy Hour (Sponsored by Set Solutions)

August 31, 2010 - Application Assessments Reloaded (@ National Instruments)

September 16, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour

September 28, 2010 - Suggest a Topic (@ National Instruments)

October 14, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour

October 26, 2010 - Suggest a Topic (@ National Instruments)

November 2010 - No Meeting (Happy Holidays!)

December 2010 - No Meeting (Happy Holidays!)

Record Hall of Meetings
When: April 27, 2010, 11:30am - 1:00pm

Topic:  Automated vs. Manual Security: You can't filter The Stupid

Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.

Who: Charles Henderson (Trustwave)

Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on the Austin OWASP Ning Site

When: April 22, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Fortify)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

When: March 30, 2010, 11:30am - 1:00pm

Topic:  Enterprise Application Security Practices: Real-world Tips and Techniques

How can you re-energize your company’s or institution’s commitment to secure development practices as part of the SDLC, while keeping costs in check? Dell's Security Consulting team created an application security practice with the help of several internal teams in legal, enterprise architecture, vendor management, privacy, compliance, and network engineering. Team members Addison Lawrence, Chad Barker, and Mike Craigue will discuss some of the challenges and opportunities they have faced over the last three years, ramping from 27 project engagements in 2007, to 726 project engagements in 2009. In this session, we will discuss the creation of policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. Also included: awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, penetration testing, exception management, and executive escalations. Tell us what we might do to improve our program and increase our effectiveness; discuss how you could adapt parts of this approach to your own program.

Who: Addison Lawrence, Chad Barker, and Mike Craigue (Dell, Inc.)

Addison Lawrence has 10 years of experience at Dell with leadership responsibilities in database and data warehouse security, PCI, SOX, and Dell Services security. He is a part of the Cloud Security Alliance team developing their Controls Matrix. Previously he worked for 13 years at Mobil Oil (now ExxonMobil) as a software developer and DBA. He holds an MBA from Texas A&M University and a BS in Computer Science from Texas A&M-Corpus Christi, and is a certified CISSP.

Chad has worked at Dell for 10 years primarily in software development. Chad has led global development standardization initiatives including release management automation and static source code analysis. He holds a BS in Information Systems from the University of Texas at Arlington.

Before joining Dell’s information security team 5 years ago, Mike worked as a database and web application developer at Dell and elsewhere in central Texas. He’s responsible for Dell’s application security strategy globally, and focuses primarily on Dell’s ecommerce site. He holds a PhD in Higher Education Administration / Finance from the University of Texas-Austin, and has the CISSP and CSSLP certifications.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on the Austin OWASP Ning Site

When: March 18, 2010, 5:00pm - 7:00pm

What: Austin Security Professionals Happy Hour (Sponsored by Denim Group)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

When: February 23, 2010, 11:30am - 1:00pm

Topic:  Advanced Persistent Threat - What Does it Mean for Application Security?

Targeted attacks, slow moving malware, foreign intelligence/government sponsored hackers, corporate/industrial espionage – all fun and games? Not really. These vectors are occurring today, and the threat vector has bled into the application space. What do you have to contend with once it passes through the firewall.

Who: Matt Pour (Blue Coat Systems)

Matt is a Systems Engineer for Blue Coat Systems. Utilizing over ten years of information security experience, Matt provides subject matter expertise of ensuring security effectiveness while addressing business controls and requirements to a multitude of industries regardless of size and scope. Previous to Blue Coat Systems, Matt Pour was a Security Solutions Architect and X-Force Field Engineer for IBM ISS.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on the Austin OWASP Ning Site

When: February 11, 2010, 5:00pm - 7:00pm

What: Austin Security Executives Happy Hour (Sponsored by WhiteHat Security)

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

When: January 26, 2010, 11:30am - 1:00pm

Topic:  Reducing Your Data Security Risk Through Tokenization

The first Austin OWASP meeting of the year is on a really interesting topic that many of you have probably never thought about: Tokenization. The concept is simple...use tokens to represent your data instead of passing around the data itself. For example, why would you give a customer account representative a full credit card number when all they need to do their job is the last four digits? Using tokenization, we are able to reduce the data security risk by limiting the number of systems that actually store the data. This extremely simplifies audits for regulations like SOX, HIPAA, and PCI DSS. This presentation will cover the business drivers for data protection, what tokenization is, and how to implement it. If your organization has data to protect, then you're going to want to check out this presentation.

Who: Josh Sokol (National Instruments)

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Josh Sokol (512) 619-6716.

RSVP on the Austin OWASP Ning Site

When: January 14, 2010, 5:00pm - 7:00pm

What: Austin Security Executives Happy Hour

Where: Sherlock's (9012 Research Blvd, Austin, TX 78757)

When: November 17, 2009, 11:30am - 1:00pm

Topic:  Tracking the progress of an SDL program: lessons from the gym

Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is  to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this presentation we’ll discuss metrics used to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally.

Who: Cassio Goldschmidt (Symantec)

Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

RSVP on the Austin OWASP Ning Site

When: October 27, 2009, 11:30am - 1:00pm

Topic:  Vulnerability Management In An Application Security World

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.

This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Who: Dan Cornell (Denim Group)

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

RSVP on the Austin OWASP Ning Site

When: September 29, 2009, 11:30am - 1:00pm

Topic:  OWASP ROI: Optimize Security Spending using OWASP

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.

Who: Matt Tesauro

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security, developing a Secure SDLC and launching a two-year application security program for Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

When: August 25, 2009, 11:30am - 1:00pm

Topic:  Threat Modeling

In this talk, Michael will discuss Microsoft SDL Threat Modeling, how to apply it to design more secure applications and finally, will show a demo and hold a short lab exercise.

Who: Michael Howard, PRINCIPAL Security Program Manager, Microsoft's Security Engineering Team

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft’s software. Howard began his career with Microsoft in 1992 at the company’s New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software. In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft’s next-generation web server, before moving to his current role in 2000.

Howard is an editor of IEEE Security & Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and design, Howard is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and his most recent release, Writing Secure Code for Windows Vista

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

When: July 28, 2009, 3:30pm - 5:00pm

Topic:  Slowloris: A DOS tool for Apache

Slowloris was designed and developed as a low bandwidth denial of service tool to take advantage of an architectural design flaw in Apache web servers. It was quickly picked up and used by Iranian government protesters. This speech will cover the technical issues around the design flaw, and the events prior to, during and since the release of the tool.

Who: RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

When: June 25, 2009, 5:00pm - 8:00pm

Topic:  OWASP/ISSA/ISACA June Happy Hour Sponsored by VMWare!!!

Where: Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

When: June 30, 2009, 3:30pm - 5:00pm

Topic:  Web 2.0 Cryptology - A Study in Failure

Who: Travis

Travis's Bio: Travis H. is an jack-of-all-trades and independent security enthusiast. He has worked in the AFCERT looking for intrusions into Air Force computers, and handled application security and cryptography issues for Paypal. He is currently a programmer for Giganews in Austin. He is also the author of an online book on security called "Security Concepts", located here:

http://www.subspacefield.org/security/security_concepts.html

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: May 26, 2009, 11:30am - 1:00pm

Topic:  Clickjack This!

This speech will cover clickjacking - one of the most obscure client side hacking techniques. After the speech at the world OWASP conference was canceled due to Adobe asking for more time to construct a patch, Robert Hansen never ended up doing a complete speech on the topic. This presentation will cover some of the history of how this exploit came to be, how it works, and how it eventually turned into real world weaponized code.

Who: RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: James Wickett 512-964-6227.

When: April 28, 2009, 11:30am - 1:00pm

Topic:  Architecting Secure Web Systems

For this month's presentation, we diverge from the typical OWASP topics of writing secure code, testing to make sure your code is secure, and other code related topics and delve into the process of actually architecting a secure web application from the ground up. We'll start with some basic n-tier architecture (web vs app vs DB), throw in some firewall and DMZ concepts, then talk about server hardening with client firewalls (iptables), disabling services, and other techniques. Whether you're a code monkey wondering how the rest of the world works, a security guy trying to figure out what you're missing, or an auditor just trying to understand how the pieces fit together, this presentation is for you.

Who: Josh Sokol

Josh's Bio: Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog and recently presented at the TRISC 2009 Conference.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: April 23rd, 2009, 5:00pm - 7:00pm

Topic:  OWASP April Happy Hour

Where:  Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

When: March 31, 2009, 11:30am - 1:00pm

Topic:  PCI Compliance and Web App Security

The purpose of this presentation is to give an objective view of PCI Compliance including the good, the bad and the ugly.

Topics covered include:

What do an ASV really do.

What does a QSA really do.

What does an ASV scan really pick up.

Are you really secure when you are compliant.

A product neutral look at how to get the most out of your compliance push.

Who: Fritz has more than five years of experience in offensive and defensive security practices and strategies. Since 2006 Fritz has been dedicated to managing PCI Data Security Standards (PCI DSS) for ControlScan as well as helping to develop products and services that are designed to make it easier for small merchants to complete and maintain compliance and long term security best practices. Fritz also authors regular security briefings on www.pcicomplianceguide.org  and addresses the "Ask the Expert" questions on the site.

Fritz a member of the Application Security Group of the SPSP (The Society of Payment Security Professionals), a participant on the PCI Knowledge Base's Panel of Experts and is a Certified Information Systems Security Professional (CISSP).

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: February 24, 2009, 11:30am - 1:00pm

Topic:  Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data

In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:

1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;

2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and

3. Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?

Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.

Who: Quincy Jackson

Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: March 26th, 2009, 5:00pm - 7:00pm

Topic:  OWASP March Happy Hour

Where:  Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

When: February 5th, 2009, 5:00pm - 7:00pm

Topic:  OWASP Live CD Release Party

Where:  Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

When: January 27, 2009, 11:30am - 1:00pm

Topic:  Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.

The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk: 1. The statelessness of the internet

2. How the naive attack works

3. A mitigation strategy against this naive attack

4. An combined CSRF/XSS attack that defeats this mitigation strategy

5. And finally suggestions for mitigation of the combined attack

Who: Ben L Broussard

I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: October 28, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic:  Using Proxies to Secure Applications and More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: September 30, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh's Bio: Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic:  OWASP AppSec NYC Conference 2008

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: August 26th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.

Topic:  OWASP Live CD 2008 - An OWASP Summer of Code Project

The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
 * 1) easy for the users to keep the tools updated
 * 2) easy for the project lead to keep the tools updated
 * 3) easy to produce releases (I'm thinking quarterly releases)
 * 4) focused on just web application testing - not general Pen Testing

OWASP Project Page: http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project

Project Wiki: http://mtesauro.com/livecd/

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: July 29th, 2008, 11:30am - 1:00pm

Who: Whurley and Mando

William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.

Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.

Topic:  The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect

OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: June 24th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP SoC Live CD project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project

A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas Education Agency As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently responsible for quality reviews on design and code, software configuration management process, build engineering process, release engineering process, verification and validation throughout the life cycle and over all quality improvement across all areas of enterprise code manufacturing.

Topic:  Securely Handling Sensitive Configuration Data.

One of the age old problems with web applications was keeping sensitive data available on a need to know basis. The classic case of this is database credentials. The application needs them to connect to the database but developers shouldn't have direct access to the DB - particularly the production DB. The presentation will discuss how we took on this specific problem, our determination that this was a specific case of a more general problem and how we solved that general problem. In our solution, sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs). We will then cover our implementation of that solution in a .Net 2.0 environment and discuss some options for J2EE environments. So far, we used our .Net solution successfully for database credentials and private encryption keys used in XML-DSig. Sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs).

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: May 27th, 2008, 11:30am - 1:00pm

Who: Nathan Sportsman and Praveen Kalamegham, Web Services Security

Topic: Web Services Security The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

When: April 29th, 2008, 11:30am - 1:00pm

Who: Mano Paul

Bio Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive. He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.

What: Security – The Road Less Travelled Abstract - What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side. Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: March 25th, 2008, 11:30am - 1:00pm

Who: Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Topic: Static Analysis Techniques for Testing Application Security

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

When:February 26th, 2008 - Michael Howard, Author of Writing Secure Code

Topic: Microsoft's SDL: A Deep Dive

In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

When: December 4th, 2007, 11:30am - 1:00pm

Who: Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)

Topic: Business Logic Flaws

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.

This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

November 27th, 2007 Austin OWASP chapter meeting - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)

Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.

Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. See directions to Whole Foods.

October 2007 Austin OWASP chapter meeting  October 30th, 11:30am - 1:00pm at National Instruments "Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.

September 2007 Austin OWASP Chapter September 2007  - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin "Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence. "Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking. "Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.

August 2007 Austin OWASP chapter meeting - 8/28, 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.

July 2007 Austin OWASP chapter meeting - 7/31, 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery

June 2007 Austin OWASP chapter meeting - 6/26, 11:30am - 1:00pm at National Instruments. James Wickett from Stokes Cigar Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.

May 2007 Austin OWASP chapter meeting - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.

April 2007 Austin OWASP chapter meeting - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)

March 2007 Austin OWASP chapter meeting - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

January 2007 Austin Chapter Meeting - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.

December Meeting - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!

November 2006 Austin Chapter Meeting - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.

October 2006 Austin Chapter Meeting - 10/31 - Boo!

September 2006 Austin Chapter Meeting - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White

August 2006 Austin Chapter Meeting - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See directions to National Instruments. Hint: It is on your left on Mopac if you were heading up to Fry's from Austin.

Austin OWASP chapter kickoff meeting - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)

Presentation Archives
The following presentations have been given at local chapter meetings:


 * March 2010 - Enterprise Application Security Practices: Real-world Tips and Techniques


 * January 2010 - Reducing Your Data Security Risk Through Tokenization


 * September 2009 - OWASP ROI: Optimize Security Spending using OWASP


 * August 2009 - Threat Modeling


 * April 2009 - Architecting a Secure Web System


 * October 2008 - Using Proxies to Secure Applications and More


 * August 2007 - OWASP Testing Framework


 * July ? - A Rough Start of a Toolset for Assessing Java/J2EE Web Apps - MattFranz discussed some custom Python tools he has been writing for conducting security testing of a Struts (and other Java) web applications.


 * August ? - AJAX Security: Here we go again - Dan Cornell from Denim Group discussed security issues in the one the popular Web 2.0 technlogy

Austin OWASP Whitepapers

 * Whitepapers go here

Austin OWASP Chapter Leaders
[mailto:josh.sokol@ni.com Josh Sokol, President] - (512) 683-5230

[mailto:wickett@gmail.com James Wickett, Vice President] - (512) 989-6808

[mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair] - (512) 989-6808

[mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair] - (512) 637-9824

Sponsorship Opportunities
The Austin OWASP Chapter can offer your company three unique sponsorship opportunities. If you are interested in taking advantage of any of these opportunities, please contact [mailto:josh.sokol@ni.com Josh Sokol], the Austin OWASP Chapter President.

Opportunity #1 - Austin Security Professionals Happy Hour Sponsorship

The Austin OWASP Chapter organizes a monthly Austin Security Professionals Happy Hour event along with the Capitol of Texas ISSA Chapter. This event has historically drawn around 30 of Austin's finest security professionals for networking and more. Your sponsorship of this event includes appetizers and drinks for the attendees. We typically do $100 in appetizers and $200 in drink tickets. By using drink tickets, we ensure that our sponsors are able to interact with every attendee who wants a drink. Feel free to pass out business cards and network just like you would anywhere else. You'll find no better opportunity to get your name in front of 30+ security professionals for around $300.

Opportunity #2 - OWASP Meeting Lunch Sponsorship

Our monthly Austin OWASP meetings are held during a person's typical lunch hours from 11:30 AM to 1:00 PM. For your sponsorship of around $250 we can arrange food and drinks for up to 50 attendees. In exchange for your sponsorship, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the lunch sponsor in all e-mail communications about the meeting.

Opportunity #3 - OWASP Meeting Presenter Sponsorship

Although OWASP is a non-profit organization, we strive to provide our members with the best presenters we possibly can. While the Austin area has tons of security talent, sometimes it's worthwhile to reach beyond our borders to pull in more awesome presenters. In exchange for covering travel expenses for these presenters, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the presenter sponsor in all e-mail communications about the meeting.

The Austin OWASP Chapter would like to thank WhiteHat Security, Expanding Security, and the Denim Group for their sponsorships during the past year.

Local News
If a link is available, click for more details on directions, speakers, etc. You can also review Email Archives to see what folks have been talking about Austin