Seattle

Last Event 06 Sep (Thurs)
09/06/2007 @ 6PM PST - Seattle chapter meeting

Details: Location: Bellevue Las Margaritas 437 108th Ave NE Bellevue, WA 98004 (425) 453-0535

Time: 6 o'clock

Speakers:
 * Rob Rachwald - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain.  Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.
 * Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly?  How are developers trained to write code securely?  How are software security tools, such as dynamic and static analysis, deployed for optimal use?
 * Damon Cortesi - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus.  Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.
 * Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore.  Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.

 Update:  - Rob's slides can be downloaded from here.  Update #2:  - Damon's slides can be found here.

Past Events
2/28/2007 @ 6PM PST - Seattle chapter meeting

Details:

Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)

Time: 6 o’clock.

Speakers:
 * Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:
 * Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.


 * Brad Hill (Senior Security Consultant with iSEC Partners), will be speaking on:
 * XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.

Past Meetings
1/8/2007 @ 6 o'clock - Seattle chapter meeting.

Details: Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/) Time: 6 o’clock.

Speakers:

Ward Spagenberg of IOActive on the topic "Unraveling PCI".

Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order. We look forward to seeing you all there!