Austin

[mailto:wickett@gmail.com James Wickett, President] - (512) 989-6808

[mailto:josh.sokol@ni.com Josh Sokol, Logistics Chair] - (512) 683-5230

[mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair] - (512) 989-6808

[mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair] - (512) 637-9824

Austin

Local News
If a link is available, click for more details on directions, speakers, etc. You can also review Email Archives to see what folks have been talking about

Next Meeting
When: February 24, 2009, 11:30am - 1:00pm

Topic:  Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data

In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:

1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;

2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and

3. Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?

Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.

Who: Quincy Jackson

Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: March 26th, 2009, 5:00pm - 7:00pm

Topic:  OWASP March Happy Hour

Where:  Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

Future Speakers and Events
February 24th, 2009 - Quincy Jackson (@ National Instruments)

March 31st, 2009 - OPEN (@ National Instruments)

April 28th, 2009 - OPEN (@ National Instruments)

Record Hall of Meetings
When: February 5th, 2009, 5:00pm - 7:00pm

Topic:  OWASP Live CD Release Party

Where:  Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

When: January 27, 2009, 11:30am - 1:00pm

Topic:  Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.

The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk: 1. The statelessness of the internet

2. How the naive attack works

3. A mitigation strategy against this naive attack

4. An combined CSRF/XSS attack that defeats this mitigation strategy

5. And finally suggestions for mitigation of the combined attack

Who: Ben L Broussard

I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: October 28, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic:  Using Proxies to Secure Applications and More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: September 30, 2008, 11:30am - 1:00pm

Who: Josh Sokol

Josh's Bio: Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the Web Admin Blog.

Topic:  OWASP AppSec NYC Conference 2008

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: August 26th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.

Topic:  OWASP Live CD 2008 - An OWASP Summer of Code Project

The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
 * 1) easy for the users to keep the tools updated
 * 2) easy for the project lead to keep the tools updated
 * 3) easy to produce releases (I'm thinking quarterly releases)
 * 4) focused on just web application testing - not general Pen Testing

OWASP Project Page: http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project

Project Wiki: http://mtesauro.com/livecd/

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: July 29th, 2008, 11:30am - 1:00pm

Who: Whurley and Mando

William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.

Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.

Topic:  The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect

OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

Cost: Always Free

Questions or help with Directions... call: Scott Foster 512-637-9824.

When: June 24th, 2008, 11:30am - 1:00pm

Who: Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP SoC Live CD project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project

A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas Education Agency As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently responsible for quality reviews on design and code, software configuration management process, build engineering process, release engineering process, verification and validation throughout the life cycle and over all quality improvement across all areas of enterprise code manufacturing.

Topic:  Securely Handling Sensitive Configuration Data.

One of the age old problems with web applications was keeping sensitive data available on a need to know basis. The classic case of this is database credentials. The application needs them to connect to the database but developers shouldn't have direct access to the DB - particularly the production DB. The presentation will discuss how we took on this specific problem, our determination that this was a specific case of a more general problem and how we solved that general problem. In our solution, sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs). We will then cover our implementation of that solution in a .Net 2.0 environment and discuss some options for J2EE environments. So far, we used our .Net solution successfully for database credentials and private encryption keys used in XML-DSig. Sensitive data is only available to the application and trusted 3rd parties (e.g. DBAs).

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: May 27th, 2008, 11:30am - 1:00pm

Who: Nathan Sportsman and Praveen Kalamegham, Web Services Security

Topic: Web Services Security The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

When: April 29th, 2008, 11:30am - 1:00pm

Who: Mano Paul

Bio Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive. He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.

What: Security – The Road Less Travelled Abstract - What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side. Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

When: March 25th, 2008, 11:30am - 1:00pm

Who: Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Topic: Static Analysis Techniques for Testing Application Security

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

February 26th, 2008 - Michael Howard, Author of Writing Secure Code

Topic: Microsoft's SDL: A Deep Dive

In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown

Where: Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See directions to Whole Foods.

When: December 4th, 2007, 11:30am - 1:00pm

Who: Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)

Topic: Business Logic Flaws

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.

This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Where: National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

November 27th, 2007 Austin OWASP chapter meeting - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)

Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.

Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. See directions to Whole Foods.

October 2007 Austin OWASP chapter meeting  October 30th, 11:30am - 1:00pm at National Instruments "Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.

September 2007 Austin OWASP Chapter September 2007  - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin "Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence. "Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking. "Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.

August 2007 Austin OWASP chapter meeting - 8/28, 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.

July 2007 Austin OWASP chapter meeting - 7/31, 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery

June 2007 Austin OWASP chapter meeting - 6/26, 11:30am - 1:00pm at National Instruments. James Wickett from Stokes Cigar Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.

May 2007 Austin OWASP chapter meeting - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.

April 2007 Austin OWASP chapter meeting - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)

March 2007 Austin OWASP chapter meeting - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See directions to National Instruments.

January 2007 Austin Chapter Meeting - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.

December Meeting - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!

November 2006 Austin Chapter Meeting - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.

October 2006 Austin Chapter Meeting - 10/31 - Boo!

September 2006 Austin Chapter Meeting - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White

August 2006 Austin Chapter Meeting - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See directions to National Instruments. Hint: It is on your left on Mopac if you were heading up to Fry's from Austin.

Austin OWASP chapter kickoff meeting - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)

Presentation Archives
The following presentations have been given at local chapter meetings:


 * Using Proxies to Secure Applications and More Austin OWASP Chapter October 2008 Josh Sokol Presentation


 * OWASP Testing Framework Austin OWASP Chapter August 2007 Josh Sokol Presentation


 * Single Sign On (7/27)


 * A Rough Start of a Toolset for Assessing Java/J2EE Web Apps (7/27) - MattFranz discussed some custom Python tools he has been writing for conducting security testing of a Struts (and other Java) web applications.


 * AJAX Security: Here we go again - Dan Cornell from Denim Group discussed security issues in the one the popular Web 2.0 technlogy (8/29)