Louisville

Louisville

Upcoming Events
1. Early Bird registration for OWASP AppSec DC 09 ends on Friday! Don’t miss out on the savings. Register today! http://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC#tab=Welcome

2. OWASP will be hosting the 2009 OWASP Global Summit on November 11, 2009, the day prior to AppSec DC. Summit information can be found here: http://www.owasp.org/index.php/Summit_2009  Please make plans to extend your stay in DC to participate in this event.

3. CFP for OWASP Italy Day IV has been extended to October 3, 2009. http://www.owasp.org/index.php/Italy_OWASP_Day_4

January 2010 Meeting
Louisville OWASP Chapter - Fourth Meeting, Friday January 29th, 2010

'''Please Note: RSVP Required! The meeting location this quarter has a capacity of 40 persons. ''' Please send your RSVP as soon as possible to ensure a seat and lunch. We apologize for any inconvenience this may cause and are seeking a larger venue for future meetings.

To RSVP: Just send a reply to brian.r.blankenship@gmail.com and indicate how many are coming.

Date/Time: January 29th, 11:30 - 1:00PM Location: MetroSafe Building, 410 S. Fifth Street. (there is a parking lot across the street, and a parking garage 1/2 block away).

Lunch is being provided by Imperva and Accuvant, and the room by Louisville Metro. Thank you all for supporting the Louisville OWASP chapter!

Speaker: Rafal Los will be discussing Flash and Web 2.0 security (see bio below)

''“Rafal Los, Security Specialist with Hewlett-Packard's Application Security Center (ASC), is an industry veteran who has worked in a variety of security positions—  from consultant to Information Security Officer in the Fortune 100— within some of  the most demanding business environments. Rafal’s unique blend of technical expertise and business knowledge enable him to teach audiences about security  techniques, programs and processes that they can both understand strategically,  and realistically apply. He has extensive experience in security testing, risk analysis and management, penetration testing and architecture and policy. Previous successes include building and implementing a successful web application security program for one of the largest and most diverse companies in  the world.”''

September Meeting
Louisville OWASP Chapter – Third Meeting Friday September 18, 2009

Hello all,

The Louisville OWASP chapter will be presenting its third meeting on September 18, from 11:30 – 1pm. Louisville OWASP meets on a quarterly basis and has had meetings in March and June of this year. Our first discussion featured Curtis Koenig and Mitch Greenfield, both from Humana, and our second featured Adrian Crenshaw of Irongeek. These meetings feature a free, vendor agnostic discussion on relevant application security and OWASP topics. Our meetings have been well attended and have received very positive feedback, and we look forward to providing the same forum in the months and years to come.

For those not familiar with OWASP (or the Open Web Application Security Project), it is a worldwide free and open community focused on improving the security of application software. The OWASP mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of the OWASP materials are available under a free and open software license. Around the world, OWASP sponsors local chapters that are FREE and OPEN to anyone interested in learning more about application security.

The third OWASP meeting will feature a presentation from Rohyt Belani of Intrepidus Group.

'''Along with being the CEO and co-founder of the Intrepidus Group, Rohyt is also Adjunct Professor at Carnegie Mellon University. Prior to starting the Intrepidus Group, Mr. Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT. He is a contributing author for Osborne’s Hack Notes – Network Security, as well as Addison Wesley’s Extrusion Detection: Security Monitoring for Internal Intrusions. Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, DallasCon, CPM, ISSA meetings, and several forums catering to the FBI, US Secret Service, and US Military. He has written technical articles and columns for online publications like Securityfocus and SC magazine, and has been interviewed by BBC Radio, Forbes magazine, TechNewsWorld, InformationWeek, Information Today, IndustryWeek, E-Commerce Times, SmartMoney, and Hacker Japan. Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.'''

Please see the description from Rohyt on his presentation on the 18th.

'Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies…..and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a “hackers” repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result - hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.'

Our meeting location will be at Memorial Auditorium, located at 970 S. 4th Street (Corner of 4th Street and Kentucky Street). Please check out our website at http://www.owasp.org/index.php/Louisville. Lunch will be included.

Please RSVP to Kristen Sullivan, at Kristen.sullivan@ky.gov.

We want to send out a big THANK YOU to Louisville Metro for graciously allowing us to use their space!!!!

Those in attendance may be eligible for a pass to the 7th Annual Louisville InfoSec Conference on Oct 8th at Churchill Downs. See the conference page at www.louisvilleinfosec.com for more information.

Thanks and we hope to see you on September 18th!

Past Meetings
The second OWASP meeting will feature a presentation from Adrian Crenshaw of Irongeek. Adrian is a Louisville based Security professional that has worked in the IT industry for the last twelve years.

Adrian runs the information security website Irongeek.com, which specializes in videos and  articles that illustrate how to use various pen-testing and security tools. He's currently working on an MBA, but is interested in getting a network security/research/teaching job in academia. Please see the description from Adrian on his presentation on the 19th.

Title: Mutillidae: Using a deliberately vulnerable set of PHP scripts to illustrate the OWASP Top 10 Description: A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project.

Mutillidae is a deliberately vulnerable set of PHP scripts meant to illustrate the OWASP Top 10. This talk will cover installing Mutillidae in a test environment, and how to use it to illustrate the OWASP Top 10 web vulnerabilities in easy to understand terms.

Our meeting location will be at Memorial Auditorium, located at 970 S. 4th Street (Corner of 4th Street and Kentucky Street)..

March 2009 The first Louisville OWASP meeting will coincide with the Kentuckiana ISSA March meeting, on Friday March 6 2009. The Louisville OWASP chapter is closely associated with the Kentuckiana ISSA chapter and will offer ISSA members, other security professionals, application developers, and all other interested parties, a free forum to learn and discuss the newest developments in application security. Following March’s meeting, we will meet quarterly on a different day and time. The information on future meetings will be following soon. Please provide feedback to the board.


 * When: Friday, March 6, 2009, from 11:30 am to 1:00 pm @ Innovative Productivity / McConnell Technology, 401 Industry Rd, Louisville, KY 40208

If you plan to attend the meeting please RSVP by email to [mailto:Kristen.Sullivan@ky.gov Kristen Sullivan].

Everyone is welcome to join us at our chapter meetings.

Louisville OWASP Chapter Board Members
Scope of the board is to discuss and approve local activities, meetings and plans.The board meetings will be announced at a later date. The board currently includes the following members:
 * Chapter Leader: [mailto:cparker@accuvant.com Chris Parker]
 * [mailto:Kristen.Sullivan@ky.gov Kristen Sullivan]
 * [mailto:CHAlexander@ups.com Carl Alexander]
 * [mailto:Brian.Blankenship@kindredhealthcare.com Brian Blankenship]
 * [mailto:mitch.greenfield@gmail.com Mitchell Greenfield]
 * [mailto:mthacker@humana.com Mark Thacker]
 * [mailto:agupta@humana.com Ajay Gupta]
 * [mailto:mmaxey@accuvant.com Mark Maxey]
 * [mailto:jkoenig@humana.com Curtis Koenig]
 * [mailto:scott_macarthur@b-f.com Scott MacArthur]

Join our group on LinkedIn
http://www.linkedin.com/groups?gid=1917263

Meeting Presentations
We are now trying to video all of our presentations thanks to our newest board member, Adrian Crenshaw! The taping of our meetings will be with the consent of our speakers. Thanks.

March 2009 Presentation

June 2009 Presentation Adrian Crenshaw

September 2009 Presentation Rohyt Belani

About OWASP
The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership

OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP rely membership fees and sponsorship to support his activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.

Articles, Links, etc.
OWASP article with the official SCG release on Darkreading magazine today.

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=216402325

The Rocky Road to More Secure Code

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=216403548&cid=nl_DR_WEEKLY_T

OWASP Sheds Light on its Security Standards

http://www.sdtimes.com/OWASP_SHEDS_LIGHT_ON_ITS_SECURITY_STANDARDS/About_OWASP_and_SECURITY/33469