OWASP Week September 2007

This page will contain the outcome of the multiple OWASP Chapter events that will occur during during the week 5th Sep -> 12 Sep (see OWASP Day)

Washington DC
All presentations can be found at the link below.

Washington_DC_LIVE-O

Getting started with WebGoat & WebScarab (Erwin Geirnaert)
Download presentation.

In this tutorial you will learn how to use WebScarab to solve the lessons in WebGoat.

Following points will be explained:
 * Configure WebScarab as a local proxy
 * Intercepte HTTP requests and responses
 * Modify HTTP requests to solve the lesson “Hidden field manipulation”
 * Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”
 * Use the session analysis tab in WebScarab
 * Use the web services tab in WebScarab
 * Use WebScarab to analyze Ajax XML messages

!! Prerequisites:
 * Bring your own laptop with you!
 * Download WebScarab onto your laptop
 * Download WebGoat onto your laptop

Erwin Geirnaert is CEO and co-founder of ZION Security. He is a renowned application security expert and has presented on various conferences like Javapolis, Eurostar, Owasp,… about web security. He is board member of OWASP Belux and actively involved in various OWASP projects like OWASP Java and OWASP WebGoat. Because of his technical experience he loves to do security testing, code review, reverse engineering,.. for Fortune 1000 companies in Europe. More information can be found on his LinkedIn profile: http://www.linkedin.com/in/erwingeirnaert.

OWASP Evaluation and Certification Criteria Draft (Mark Curphey)
Download presentation.

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

Mark Curphey ran Foundstone consulting from 2003 until late 2006 during which time the company was sold to McAfee. Before joining Foundstone Mark was the Director of Information Security at Charles Schwab (responsible for the software security program) and has also worked for ISS and several financial services companies in Europe. Mark has a Masters degree in information security from Royal Holloway, University of London and was the original founder of the Open Web Application Security Project (OWASP).

Automated Web FOO or FUD? (David Kierznowski)
Download presentation.

We take a look into automated web application testing technologies and their effectiveness against real life applications.

Also, we look into one of GNUCITIZENs latest projects, The Technika Security Framework (TSF), which will enable users to automate security testing directly from their browser.

David Kierznowski currently works as a Senior Security Analyst for a leading penetration testing company in the UK. He has worked in the security industry for the past 6 years. David is also the founder of both michaeldaw.org and blogsecurity.net and is an active member of the GNUCITIZEN group.

OWASP Pantera Unleashed (Simon Roses Femerling)
Download presentation.

The presentation will provide a glimpse into what Pantera can offer when performing blackbox web assessments. In the age of Web 2.0 we need powerful tools that provide us rich and accurate information and allows us to manipulate that information into our advantage, that's what Pantera is all about.

Simon Roses Femerling is a Security Technologist at the ACE Team at Microsoft. Former PwC and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories. Simon is natural from wonderful Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.

CLASP, SDL and Touchpoints Compared (Bart De Win)
Presentation pending paper publication.

Over the years, specific methodologies and techniques for secure software engineering have been proposed, yet dedicated processes have become available only recently. In this presentation, the highlights of an activity-driven comparison of three high-profile processes for the development of secure software are presented.

Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.

Threats of e-insecurity in Belgium and the Belgian response (Luc Beirens, FCCU)
Download presentation.

The presentation will give a short overview of the actual threats on the e-society in Belgium. How are public and private sector organized (or not) to tacle the different problems ? What are the tasks of the police within this framework ?

Since 1991, chief superintendent Luc Beirens is engaged in computer forensics and cyber crime investigations. He is head of the Federal Computer Crime Unit of the Federal Police since 2001. Aside consulting his detectives in current cyber crime investigations, he is responsible for the reorganization, the equipment and the training of Belgian police services concerned with cyber crime investigations. As member of the European Working Party on Information Technology Crime (EWPITC) of Interpol since 1995 and the EUROPOL cyber crime expert group since 2001, he has cooperated in writing several documents concerning computer forensics and cyber crime investigations. He lectures in these fields at several police academies and universities. His is involved in several organizations and platforms that are concerned with e-security, ICT forensics and cyber crime combating. Before his detective career, he has worked from 1987 till 1995 as analyst and project manager on the development of the Police Information System of the Belgian Gendarmerie. He holds master degrees in criminology and information technology.

For my next trick... hacking Web2.0 (pdp)
Download presentation.

Web2.0, if I can summarize it with a few simple words, is all about communication, distribution, information, agents, clients and servers. Those who understand the 2.0 fundamentals have the power to manipulate the global Web to suit their needs - hackers, the new digital breed of the 2.0 world. Web2.0 hacking is a mean for communicating and distributing critical information in a better way. It can be used to build ghost infrastructures from where to launch attacks - anonymously, no traces, nothing. Web2.0 hacking is also about the thin line between client-side and server-side security. It is about the endpoints and the electronic highways. It is about reaching the masses and yet being able to perform attacks on specific targets. Web2.0 hacking is also about distribution and influence, covert channels, bots, IA, ghosts inside the electronic frame. Web2.0 hacking is also a movement, a cyber subculture where individuals show their technical abilities, and understandings of the world and use that to manipulate their way through the system.

Web2.0 hacking practices should never be related to AJAX and JavaScript exploitation techniques only. Although it is true that client-side security has a significant part of the Web2.0 ecosystem, it is important to realize its role. There are far too many other aspects that we need to look into. My aim is to cover these aspects and reveal the hidden dangers.

Petko D. Petkov, a.k.a pdp (architect), is the founder and leading contributer of the GNUCITIZEN group. He is a senior IT security consultant based in London, UK. His day-to-day work involves identifying vulnerabilities, building attack strategies and creating attack tools and penetration testing infrastructures. Petko is known in the underground circles as pdp or architect but his name is well known in the IT security industry for his strong technical background and creative thinking. He has been working for some of the world's top companies, providing consultancy on the latest security vulnerabilities and attack technologies.

San Antonio
Here is the Bruce Jenkins presentation on Developing an Application Security Strategy for Large Enterprise Systems:

Israel
OWASP IL 8th meeting at the OWASP week - Meeting program and presentations.

Turkey
Introduction


 * Turkish Subtitle by Bedirhan Urgun (delete .ppt extension) for Jeff Williams's OWASP Day Intro movie

 Privacy in Governmental Insitutions - A Current State Analysis


 * OWASP2007_KamudaPrivacy.ppt‎

Presentation discusses the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues. Getting off with general privacy problems, in specific, information about the privacy issues related to web applications is given. Moreover, concrete suggestions on providing a solid privacy in these institutions are presented.

Hayrettin BAHŞİ Chief Researcher CC Lab-UEKAE TUBITAK

 Secure Web Application Development 
 * Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt

Presentation points out the vitality of security phases and touchpoints in SDLC, web applications' in specific. It goes over the principles, patterns, threat modeling as well as other important factors that comprise specification, development, testing phases of a secure application process.

Korhan GÜRLER Chief Researcher PRO-G

Discussion

Answers to Panel questions can be found at under the title of Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)

Italy
All presentations can be found here

Rochester
2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]

Abstract: Web application security vulnerabilities remain by the far the most frequently reported vulnerability category. In spite of wide spread use, and very frequent vulnerabilities, most web applications are still not being securely developed and deployed. The presentation will demonstrate why experts estimate the percentage of vulnerable web application range from 75% to 99% and review the 2007 OWASP top 10 web applications security vulnerabilities.

Ottawa

 * Presentation: What is Cardspace? By Christian Beauclair - Microsoft

The impact of phishing and other forms of online identity phraud has grown enormously in the last few years. Today, people are starting to curb their activities online due to fears of phishing and phraud and because they just can’t be bothered to fight through today’s online authentication systems such as multiple usernames and passwords, Captcha control and OTP tokens. In this session we’ll explore some of the core issues facing our identities online and then discuss how technologies such as Windows CardSpace enable users to authenticate and/or present personal information more easily and safely to sites that they know are legitimate.

Belgium

 * How many participants: 80+
 * How long did the event last: 8 hours
 * Pictures: (to upload)
 * Presentations: on the chapter page
 * Answers to Panel's questions:

London

 * How many participants: 15
 * How long did the event last: 2 1/2 hours
 * Pictures: (Ivan to upload)
 * Presentations: (pdp to upload)
 * Answers to Panel's questions: (Ivan to provide)

Washington DC

 * How many participants: 50
 * How long did the event last: 5 hours
 * Pictures: none
 * Presentations: Links above
 * Answers to Panel's questions: No time for a panel

Special thanks to the Organizations that made the mini-conference possible.

MITRE HoneyClient project

Grant Thornton LLC

Aspect Security

San Antonio

 * How many participants: 25
 * How long did the event last: 1 1/2 hours
 * Presentation: Bruce Jenkins "Developing an Application Security Strategy for Large Enterprise Systems"

Turkey

 * How many participants: 10
 * How long did the event last: 3.5 hours
 * Pictures: (on Bunyamin)
 * Presentations: (look above)
 * Answers to Discussion questions: (look above)

Israel

 * How many participants: 60
 * How long did the event last: 3 hours
 * Pictures: We seems to have no geeks with 2M phone cameras (and the leader forgot his :-
 * Presentations: Meeting program and presentations.

Italy

 * How many participants: nearly 110 (160 subscriptions)
 * How long did the event last: 4.5 hours
 * Pictures:
 * Presentations: here

Rochester

 * How many participants: 11
 * How long did the event last: 2 hours
 * Presentation: 2007 OWASP Top 10 Most Critical Web Application Security Vulnerabilities, by Ralph Durkee [[Media:OWASP_Top_10_2007_v6.ppt|PowerPoint]]
 * Meeting Minutes: [[Media:2007-09-10_Rochester_OWASP-Meeting-Minutes.pdf|PDF]]

Ottawa

 * How many participants: 10
 * How long did the event last: 2.5 hours
 * Presentation: What is Cardspace? By Christian Beauclair - Microsoft

[[Media:Windows_CardSpace_for_OWASP.zip|PowerPoint]]