San Antonio

Local News
San Antonio OWASP Chapter: Wed June 16, 2010

Topic: Securing Software Applications Using Dynamic Dataflow Analysis

Presenter: Steve Cook, Senior Research Analyst, SwRI

Date: Wednesday June 16, 2010 11:30am – 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project.

The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library.

The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime.

Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment.

The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions.

Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&M University. While at Texas A&M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

San Antonio OWASP Chapter: Wed May 19th, 2010

Topic: The Open Software Assurance Maturity Model

Presenter: Dan Cornell, Principal, Denim Group

Date: Wednesday May 19th, 2010 11:30am – 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program.

This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

San Antonio OWASP Chapter: Wed March 17, 2010

Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors & Data Exfiltration

Presenter: Clint Pollock

Date: Wednesday, March 17th, 2010 11:30am – 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Sponsored by: VERACODE

Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; ·   Prevalence of backdoors and malicious code in third party attacks ·   Definitions and classifications of backdoors and their impact on your applications ·   Methods to identify, track and remediate these vulnerabilities

Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.

FREE PIZZA will be provided, courtesy of our friends from Veracode.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

Meeting Schedule for 2010

Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229.

Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro

Wednesday March 17th - TBD

Wednesday May 19th - TBD

Wednesday July 21st - TBD

Wednesday September 15th - TBD

Wednesday November 10th - TBD

San Antonio OWASP Chapter: Wed January 20th, 2010

Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

Recent Meetings:

San Antonio OWASP Chapter: October 21, 2009

Topic: Rolling Out an Enterprise Source Code Review Program

Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m.

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues.

Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications.

San Antonio OWASP Chapter: August 19, 2009

Topic: Web Application Firewalls (WAFs)

Presenter: Matt Burriola & Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process.

Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&M University-Corpus Christi.

Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University.

San Antonio OWASP Chapter: June 17, 2009' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229

http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks.

Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA.

San Antonio OWASP Chapter: January 2009 Meeting

Topic: "Vulnerability Management in an Application Security World."

Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm

Location:

San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Presenter Bio:

Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications.

Previous News The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf

The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&oldid=80140#filelinks

The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks

The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio

The slide deck from OWASP San Antonio September 2007 meeting available online here: .

The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly

The slide deck from OWASP San Antonio September 2006 meeting available online here: .

The slide deck from OWASP San Antonio August 2006 meeting available online here: .

The slide deck from OWASP San Antonio June 2006 meeting available online here:.

The slide deck from OWASP San Antonio May 2006 meeting available online here:.

The slide deck from OWASP San Antonio September 2004 meeting available online here: .