Cleveland

Upcoming Meetings
Sam Nasr - September 9th from 11:00 am - 1:00 pm

Presentation: Tools and Procedures for Securing .NET Applications

Abstract: With security attacks on the rise, protecting your applications and data is more of a necessity than ever before. We’ll discuss some of the features provided by Visual Studio and the .Net framework, such as Dotfuscator, SignTool, and encryption tools. In addition we'll look at other protective measures such as early intrusion detection, mitigation, and Social Engineering. These are topics not typically covered in other security presentations or material.

Speaker Bio: Sam Nasr has been a software developer since 1995, focusing mostly on Microsoft technologies. Having achieved multiple certifications from Microsoft (MCAD, MCTS(MOSS), and MCT), Sam develops, teaches, and tours the country to present various topics in .Net Framework. He is also actively involved with the Cleveland C#/VB.Net User Group, where he has been the group leader since 2003. In addition, he also started the Cleveland WPF Users Group in June 2009, and the Cleveland .Net Study Group in August 2009, and is the INETA mentor for Ohio. When not coding, Sam loves spending time with his family and friends or volunteering at his local church. He can be reached by email at sam@nasr.info.

-

We are always looking for new speakers to present at our meetings! If you are interested in speaking at an upcoming OWASP meeting, please contact Courtney Satink at [mailto:csatink@securestate.com csatink@securestate.com] with your idea.

Past Events:
Bill Sempf (@sempf) - January 28 from 11:00am - 1:00 pm

Presentation: Cracking and Fixing REST Services

Abstract: REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.

Speaker Bios: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

-

Márion Nepomuceno & Kris French - July 17 from 11:00am - 1:00pm

Presentation: Security Omnipresence: Infiltrating Every Level of a Mature Development Lifecycle

Abstract: It’s easy for a security professional to feel like he’s alone, especially when there are already mature processes in place designed to function without him. And if he does finally break into the development lifecycle, he certainly can’t be everywhere at once. Or can he? We’ll show you how we infiltrated the development lifecycle, spread the message of security, and recruited shadowy agents of change to achieve security omnipresence.

This presentation tells the story of how we were able to integrate concepts from the MS security development lifecycle into the long-established processes in our company. We'll talk about how the initiative started independently in 2 departments for different reasons, yet we combined all our efforts to create a very effective and customized security program.

From our participation in local infosec groups and meetings, we realized that security professionals are having trouble truly integrating security into their company's processes and culture. This talk actually was born from a request by our local OWASP chapter for us to tell the story of how we got as far as having QA doing security testing on top of Development following SDL practices.

Moreover, people seem to get hung up on the idea that security tools and software will solve their problems, when that's not the case. Security is all about the mindset, and that's one of the main points we want to convey.

Speaker Bios: Marion Nepomuceno - is a security engineer at Hyland Software in charge of developing training materials, and working closely with the nearly 200-person development staff on improving their secure coding skills and the security of the product. Marion has given several presentations and classes to audiences of varying sizes on the topic of security concepts and the SDL. He headed up the project to re-fit Microsoft's SDL processes to work within Hyland which houses several different waterfall-based and agile processes. This project has enjoyed significant success that has drawn the attention of the local security community.

Kris French - is a security tester at Hyland Software, and single-handedly created the security program for the QA department. Kris is in charge of creating training materials, creating and leading classes for his security-focused internal education track, managing the QA security champions group, and collaborating with development to aid in the creation of an overall security direction for the company. Kris is also an active member in his local security community and frequent contributor to the proceedings of the OWASP Cleveland chapter. How to foster company-wide adoption

-

Bill Sempf (@sempf) - Thursday, April 10 from 11:30am - 2:00 pm

Presentation: Information Disclosure: Looking Beyond Vulnerabilities to Freebies

Abstract: While the application security community is focused on tools that test for various vulnerabilities, your servers, developers and organization could be giving out valuable details that just makes an attacker's job so much easier - free information. No vulnerability scanner will find the Stack Overflow post with admin credentials, or the 'hidden' file with a test account, or that obscure error message that makes your database barf. Bill will take you through hands on testing that you can try today: finding out about what your applications, servers, networks, and people are telling attackers about your innermost secrets.

Speaker Bio: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

-

Chris Clymer - Wednesday, January 8th from 11:00am - 2:00pm

Presentation: "Lessons Learned from HealthCare.gov - Integrating Security into Complex Software Deployments"

Video of January's Presentation, Lessons Learned from HealthCare.gov, is available HERE

Abstract: The recent problems with Healthcare.gov highlight the fact that many organizations still struggle to secure applications they develop. During this talk, SecureState will take an apolitical approach to looking at what lessons can be learned from the Healthcare.gov rollout and how these lessons can be applied to software you are developing. During this talk, SecureState will use firsthand experience gained from helping a state based health exchange become operational and compliant to the various federal security standards, as well as public information on the security challenges the national exchange faces.

Speaker Bio: Chris Clymer - As the Manager of SecureState’s Advisory Services practice, Chris Clymer works on the design and management of Security Programs as clients’ Security Program Manager (SPM). Chris’s core strengths of developing complex strategies and establishing specific priorities are keys to his ability to provide expert advisory leadership to clients looking to him for guidance. His expertise at defining objectives and conducting in-depth research also serves him well in this capacity. Chris questions frequently and thoroughly, initiates innovation, and improvises solutions – all valuable skills for leading our Advisory Services practice. Chris holds several industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT), and provisional ISO 27001 Auditor.

-

Matt Neely & Tom Eston - Monday, April 29th from 11:00am - 2:00pm

Presentation: "Threat Modeling - The First Step in Secure Application Development"

Video of April's Presentation, Threat Modeling - The First Step in Secure Application Development, is available HERE

Abstract: Application security issues continue to be a growing concern for businesses large and small. In fact, many people would be surprised to find that some of the most popular mobile apps downloaded are vulnerable to issues found in the OWASP Mobile Top 10 list of common vulnerabilities.

To address these issues security needs to be integrated into the software development life cycle (SDLC) used by the developers. When developing an application in a secure manner threat modeling is an important but often forgotten first step.

This talk will start out an overview of where to integrate security into the SDLC process. The remainder of the talk will focus on the threat modeling portion of the SecSDLC. During this stage the OWASP Mobile Threat Model will be introduced. To provide real world examples vulnerabilities found in many of the top 25 downloaded apps found in the Apple App Store and Google Play will be covered.

Speaker Bios: Matt Neely is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm. At SecureState Matt leads the Research and Innovation team which focuses on imagining, researching and developing methodologies and tools that will solve industry related issues. In addition to Matt’s technical background, his strong understanding of business processes and organizational structure allow him to meet the security needs of the business world. Matt is a regular speaker at various business and security user groups and conferences including Black Hat, Defcon, THOTCON and ShmooCon. Matt recently published the book Radio Reconnaissance in Penetration Testing.

Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.

-

Joe Kuemerle - Tuesday, December 18th from Noon – 2 p.m.

Presentation: Reverse Engineering .NET and Java

Abstract: Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. Enjoy a demo filled session on how easy it is to extract information from virtually any .NET or Java application.

Speaker Bio: Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.

-

Kevin Johnson - Tuesday, March 22nd Noon – 2pm

Presentation:“Ninja Developers: Application Security Testing and Your SDLC.”'''

Abstract: The security of enterprise software is one of the key risks organizations can start to control today. As new applications are developed and legacy software is updated, incorporating a measure of security testing can be one of the most critical ways to positively impact an organizations security posture. To properly validate the security of enterprise applications a 3rd party penetration test or assessment may be enlisted - but the cost of testing each application quickly makes this impractical. This situation presents a challenging problem.

Kevin Johnson will explain how your development staff can incorporate techniques distilled from years of experience into your organization's development and release methodology. Whether you're using Agile, RUP or Google programming, these tips and tricks will enable your developers to produce higher quality, more secure code right from the start. Kevin will reveal some of the secrets of the masters learned from experience and industry leadership over the past decade - and show you how you can insert security into your software development lifecycle with minimal disruption and maximum effectiveness.

Speaker Bio: Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.

-

Chapter Meetings
To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Our chapter is sponsored by SecureState.

Cleveland OWASP Chapter Leaders
The chapter leader is [mailto:kstasiak@securestate.com Ken Stasiak]