Toronto

The mailing list archive can be accessed from here.

Upcoming Presentations
Date/Time: July 10, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to patrick.szeto@owasp.org or yuk.fai.chan@owasp.org to confirm your presence.

OWASP: Beyond the Top 10

Presenter: Andre Rochefort, TELUS

Join us as we take a guided tour through some of OWASPs lesser-known projects -- present and future. For students and new entrants to the application security profession, get practical advice on options for building and honing your skills. Developers and administrators alike might benefit from an overview of OWASPs projects for secure SDLC, source code review, and vulnerability assessment and mitigation. The seasoned professionals can engage in a lively discussion and critique of OWASP projects in the pipeline, and how the community as a whole is tackling security for the web, mobile, and beyond. An OWASP session featuring a buffet of OWASP offerings and a potluck of alternatives and enhancements.

Your host for this session is Andre Rochefort, an infosec veteran and lifelong computer geek. As a developer, a security auditor, and a loudmouth conference heckler, Andre offers a wealth of experience and anecdotes, with a generous helping of opinion. His day-to-day activities at TELUS include source code analysis, vulnerability assessments and penetration tests, with a heavy focus on web and mobile application security.

Previous Presentations
Date/Time: May 8th, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Secure Code Review

Presenter: Sherif Koussa

Secure Code Review is the best approach to uncover the largest number ofsecurity flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application "SecureTickers" pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (http://pmd.sourceforge.net/), the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun!

Date/Time: March 20th, 2013, 6:30 - 8:30 PM EST

Location: PwC Tower, 18 York Street, Suite 2600, Toronto ON M5J 0B2

''Due to fire and building regulations, there is a maximum occupancy allowed in the venue, so if you would like to attend it is very important that you RSVP at yuk.fai.chan@owasp.org to confirm your presence!

NFC Threat Landscape

Presenter: Geoff Vaughan, Security Compass

Near Field Communication is on pace to be one of the most explosive technologies in North America for 2013. Over 2012 we’ve seen a number of industry steps to making this a reality. Nearly all phone makers are putting NFC into all new phones they develop. Over the last year we have also seen widespread adoption by a large number of financial institutions to put NFC into all their new credit cards and banking cards as well as many mobile payment systems now accepting the technology. At this point we need to take a step back and evaluate the implications of having NFC always enabled on a consumer phone and the implications of storing mobile payment data on an individuals phone. NFC technologies are intimately embedded into all core features of a smart phone and this presents a very large attack and vulnerability surface for an attacker to potentially exploit.

Wednesday, July 11th 2012, 6:30-8:00 PM EDT - ''Security Community Engagement

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: Mozilla is one of the most successful open source projects in existence, and has helped transform the way users and developers interact with the Internet. In the last few years there has been many new ways to use the Internet, including new competitors in the Browser market, mobile and desktop Apps, and a proliferation of platforms, APIs, and new technologies. Mozilla has a strong base of contributors to many areas, including Firefox, Thunderbird, our huge Add-On collection, and our support sites, but not many people know that Mozilla is also open to community engagement with our Security program as well! In this discussion I will explain how our Security program functions, and how and where we are looking for improved engagement and contribution from the community, and some of the benefits to contributing!

Speaker Bio:

Yvan Boily is an Application Security Manager with Mozilla Corporation, where he manages one of two application security teams focused on the security of Mozilla web properties and end-user applications.

Thursday, May 10th 2012, 6:30-8:00 PM EDT - ''Application Security ISO

'''Location: RBC Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: ISO/IEC 27034 - Part 1 was published in November 2011 and the remaining parts (Part 2-6) are expected to be published soon. What does this mean to your organization or your clients who wish to adopt or incorporate this ISO standard for their software application? This overview will walk through the key sections of standard and highlight the process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. We will also attempt to compare these key points against other industry guidelines to determine the overall intentions and objectives of the standard.

Speaker Bio: TAK CHIJIIIWA, CISSP, CSSLP

Tak Chijiiwa has over 12 years of IT security experience. Tak has been involved in a wide spectrum of information security strategy and advisory engagements for various Fortune 500 clients globally in the healthcare, financial, education, utilities, transportation and government sector. Prior to joining Security Compass, Tak worked at Deloitte & Touche, LLP as a Manager of the Vulnerability Management team in Toronto, Ontario for 6 years and at Kasten Chase Applied Research as a Development Manager in Mississauga, Ontario for 4 years.

Wednesday, September 14th 2011, 6:30-8:00 PM EDT  - ''Introducing Vega, a New Open Source Web Vulnerability Scanner

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to owasp-rsvp@securitycompass.com to confirm you attendance.

Description: David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

Speaker bio: David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal.

Wednesday, May 11th 2011, 5:00-6:00 PM  - Mobile Security for the Forgetful

Location: Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yukfai at securitycompass dotcom

Description: You’ve accidentally misplaced your company or personal mobile phone in a public location. In this scenario, what threats do you and/or your organization face?

This talk will be about the worst case scenario in mobile security: when the attacker has physical access to the phone. According to DataLossDB, about 1/5 of all data breaches they have recorded are due to lost or stolen laptops. Phones are much easier to lose (or steal) then laptops, and these days the data on our phones can be as confidential as the data on our laptops.

This talk will go over physical access attacks from an attacker’s perspective, discuss ways of coding mobile applications to defend against these kinds of attacks, and discuss some ways of securing our phones as users. Technical details in this talk will focus on the Android platform.

Length: 60 minutes

Speaker Bio: Max Veytsman is a Security Consultant with Security Compass. He specializes in web and mobile security assessments. Max also leads Security Compass' training development in the mobile space. Max studied Computer Science at the University of Toronto. His interests include cryptography, programming language design, and computer vision.

Wednesday, February 16th, 6:00 PM- How Auditors Certify Computer Systems – A Look at Third Party, Non-Vendor, Legally Mandated System Certifications

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description:“Certifications” abound in the world of IT – from signoffs by internal security professionals to the advertising claims of vendors, but few, if any of these, have true legal standing. As a consequence, customers and clients of organizations which process sensitive transactions or retain confidential data are increasingly demanding third party, non-vendor, legally mandated system certification as a pre-requisite to doing business.

•	What are these certifications and who can issue them?

•	Under what circumstances are certifications likely to be required?

•	What standards do certifiers use – and does it matter?

•	What information and evidence do auditors need in order to complete their work?

•	How can information systems professionals prepare for a certification audit and ensure that the process is ultimately successful?

Our speaker, Jerrard Gaertner, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, I.S.P., ITCP, CIA, CFI, Director of Technology Assurance Services at Soberman LLP, will address these and related questions based on his 25+ years as a systems auditor.

Wednesday, November 10th, 6:30 PM- Using Open Standards to Break the Vulnerability Wheel of Pain

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description: Ed is the Chief Information Security Officer responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business. With over 18 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, serves on the advisory board to the Society of Payment Security Professionals as well as its Application Security Working Group. Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as BlackHat, Metricon, CSO, OWASP, The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association. Additionally Ed is a contributing author to the O’Reilly book Beautiful Security.

 Meetings November 5th, 2009 (THURSDAY)

Location: 285 Victoria Street, 3rd Floor (Room number VIC306) NEW Location.

Date/Time: : November 5th, 2009, 6:00-7:30 PM EST (THURSDAY)

Title: Software Assurance Maturity Model

Speaker: Pravir Chandra, Fortify Software

Description:Software Assurance Maturity Model (OpenSAMM) The Software Assurance Maturity Model (SAMM) into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/

Bio:  Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

 Meetings August 19th, 2009 

Location: 285 Victoria Street, 4th Floor (Room number VIC405) NEW Location.

Date/Time: August 19th, 2009, 6:00-7:30 PM EST

Title: Will you be PCI DSS Compliant by September 2010?

Speaker: Michael D’Sa, Visa Canada

Description and Bio:  At this informative session, Michael D'Sa, Visa Canada's Senior Manager of Data Security and Investigations will talk to you about PCI DSS compliance within the Canadian marketplace. Michael will present the emerging data compromise trends, and will review the Canadian deadlines and mandates for Visa merchants. Michael D’Sa is the Senior Manager responsible for Data Security and Investigations at Visa Canada. Working at Visa Canada for over 14 years, Mr. D’Sa is currently in the Payment System Risk group. His responsibilities include managing the Account Information Security program, managing Data Compromise incidents, and supporting Visa banks on fraud investigations. Mr. D’Sa also acts as the primary liaison for Law Enforcement on Visa related fraud matters.

 Meetings May 13th, 2009 

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: May 13th, 2009, 6:45-8:00 PM EST

Title: Cross Site AJAX Hacking

Description: The era of AJAX technologies has only been possible after XMLHttpRequest released its full potential. But XMLHttpRequest has had a number of security concerns, in particular due to its ability to create flexible requests against web sites without the users knowledge. Up to now, the same origin policy limited the impact of this issue.

The Web 2.0 vision calls for the flexible use and rendering of information in mash-ups created by mixing content from various sources on the fly. This idea is not easily implemented in Javascript due to same origin restrictions. In order to allow for these features, XHR Level 2 and XDR have been developed to remove the same origin policy and allow the ability to request information from various sites. Current browsers make these functions available to developers and you will soon find sites that require them. The presentation will provide information on the mechanics of these cross site AJAX calls and their security impact.

As an add-on to the discussion - It has been a year since Johannes Ullrich have given a talk on Dshield Web App honeypot project. I will provide a small update on the progress of this project. It's a low key project but you may be amazed at what we are doing.

Presenter: Jason Lam

BIO:Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute where he writes courses on pentesting and defending web applications. In his ever diminishing free time, he helps with the SANS Internet Storm Center as an incident handler. He took on the role to be a leader for the Dshield honeypot project where logs from web honeypot all over the world are collected and analyzed.

 Meetings April 8th 2009 

 Wednesday April 8th 2009, 6:00-8:00 PM EST  at D&T, 4-179B, 121 King Street West, Toronto.

 Topic:  A Laugh RIAt – Rich Internet Application Security

 Speaker:  Rafal M. Los

 Description:  Rich Internet Applications [RIA] are popping up everywhere! Enterprises and boutique online shops alike are rushing to adopt these technologies without really thinking of the implications of moving pseudo-server functionality to the user’s desktop and browser. Hacking these applications has now moved from the challenge of compromising the server, to the significantly smaller challenge of compromising the client. You’ll be able to witness (and try!) first-hand how to manipulate an AJAX-rich web application you or your colleagues probably use many times; as well as see and understand how breaking down a Flash binary object (SWF file) isn’t difficult. These types of applications are now treasure-troves of goodies… don’t miss out on the simple ways you can security test these technologies on your desktop today!

 Future Talks:   May: </B> Douglas Simpson, Cenzic  Jun: </B> Jamie Gamble, Security Compass  Jul: </B> Jason Lam,  Aug: </B> Joe Bates  Sep: </B> Tyler Reguly, nCircle

We are looking for speakers, if you are interested in speaking on security topics please email [mailto:nish@securitycompass.com Nish Bhalla]

 Meetings November 13th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: November 13th 2008, 6:00-7:30 PM EST

Title: Web Application Security and the PA-DSS

Description: The Payment Card Industry's (PCI) Payment Application Data Security Standards (PA-DSS) version 1.1 was released in April 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed “as is”. This discussion will provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Whether you are a web application developer, tester, vendor or just interested in PCI and Payment Applications, this talk will have a message for you.

Presenter: A M Westgate M.Sc., B.Ed., CISSP, QSA, PA-QSA

BIO: A M brings a range of experience as a security systems analyst, a software engineer and as an information security instructor. She has participated in PCI Compliance engagements and PCI gap assessments. In addition, she has been the primary consultant on PA-DSS Validation, PA gap assessments and remediation engagements. A M has over 5 years experience in security software engineering, and has worked in Canada, USA, Ireland and England. She is a confident speaker, and a part time instructor of the CISSP preparation course in the continuing education department at a local university.

 Meetings August 14th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> August 14th 2008, 6:00-7:30 PM EST

Title:</B> An Introduction To Reverse Engineering Malware

Session Abstract:</B> This talk will cover the basics of setting up an environment to reverse engineer malware, and an introduction to some tools and techniques that can be used to determine what exactly that bit of unknown, potentially hostile code does. While this is an introductory talk, we'll definitely cover more than "run strings on the binary and see what you get!"

Presenters:</B> Seth Hardy, MessageLabs Inc.

BIO:</B> Seth Hardy recently moved to Toronto to do reverse engineering work for MessageLabs, as part of their antivirus research and response group. Before that, he worked mostly in the areas of vulnerability research and cryptography. In his spare time, Seth likes to work on community-building projects both online and off. He currently holds the GIAC GREM certification, and should have the CISSP before this presentation; if not, feel free to mock him mercilessly for it.

 Meetings July 16th 2008 

Location:</B> 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time:</B> July 16th 2008, 6:00-7:30 PM EST

Title:</B> Business Logic Flaws

Session Abstract:</B> How they put your Websites at Risk Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can't identify them, IDS can't detect them, and Web application firewalls can't defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.The presentation will provide real-world examples of how pernicious and dangerous business logic flaws are to the security of a website. We'll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

<B>Presenters:</B> Trey Ford, Director, Solutions Architecture, WhiteHat Security, Inc.

<B>BIO:</B> Trey Ford is the Director of Solutions Architecture at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website security programs. Mr. Ford also spearheads WhiteHat's participation in the PCI Standards Council and assists customers in selecting WhiteHat services for compliance with the PCI Data Security Standard. In addition, Mr. Ford is a frequent speaker at industry events. Prior to WhiteHat, he was the Compliance Practice Lead at FishNet Security, an information security services provider based in Kansas City. Mr. Ford also founded and operated, Eclectix, a technology consultancy. He is a certified information system security professional (CISSP), a Microsoft Certified Systems Engineer, a Cisco Certified Networking Associate (CCNA), and a Payment Card Industry Qualified Data Security Professional.

 Meetings June 18th 2008 

Location: The next chapter meeting will be held on June 18th June at D&T, 4-179B, 121 King Street West, Toronto.

Date/Time: June 18th 2008, 6:00-7:30 PM EST

Description: Testing for certain web application vulnerabilities is tedious and time-consuming, and when combined with time constraints, full testing coverage is often not achieved. ExploitMe is a series of Open Source Firefox plugins released by Security Compass for this purpose - automated detection of XSS, SQL Injection, and access control (including the recently released HTTP verb tampering) vulnerabilities.

In this presentation Tom Aratyn and Sahba Kazerooni of Security Compass will demonstrate how the Exploit-Me series of tools can be used during penetration testing to find security vulnerabilities in real web applications.

Presenters: Tom Aratyn (Developer ExploitMe Series), Sahba Kazerooni (Security Consultant, Security Compass) [[Link title]]

 May 13th 2008 Meeting  The next chapter meeting will be held on May 13th at a <B>Different Location</B> Delta Meadowvale Resort & Conference Center, 6750 Mississauga Road, Mississauga, ON CA, Phone: 905-821-1981 Directions to the meetings

<B>Topic: </B> A Distributed Web Application Honeypot <B>Date/Time:</B> May 13th 2008, 6:00-7:00 PM EST <B>Description:</B> DShield.org has been extremely helpful in understanding network based attacks. However, over the last few years many interesting attacks target specific web application flaws which are not detected by DShield's sensor system. Collecting similar data for web applications has been challenging for a number of reasons. First of all, the data needed to understand a web application attack is much richer and a simple efficient data model as the one used by DShield will not provide sufficient details. If more detailed data, like complete requests, are collected, data privacy issues become more of a problem. Simple obfuscation or pattern replacement techniques are usually not sufficient to safeguard this information, or they will make it impossible to understand the attack. Lastly, many web application attacks use search engines to find vulnerable systems, instead of just attacking random servers. Over the next few months we plan to roll out a distributed web application honeypot. We will describe how this honeypot will be implemented to address these issues.

<B>Speaker BIO: Dr. Johannes Ullrich</B> SANS Institute As Chief Research Officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in Physics from SUNY Albany and is located in Jacksonville FL.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

 22nd January 2008 Meeting 

The next chapter meeting will be held on Jan 22nd at <B>20the floor, 79 Wellington Street West, Toronto, ON M5K 1B9 </B>. Directions to the meetings

<B>Topic: </B>Modern Trends in Network Fingerprinting <B>Description:</B>

<B>Speaker BIO:</B> Jay Graver and Ryan Poppa are Lead Engineers at nCircle Network Security. They specialize in interrogating Applications and Services over the network. Their years of experience have been focused on the non invasive detection of vulnerabilities.

Current Areas of research include; HTTP server analysis, graph theory, SSL library fingerprinting and unobfuscation techniques.

Based in Toronto Ontario, they hold degrees from University of Guelph and the University of Waterloo. You can find their latest posts at blog.glaciertech.ca & numerophobe.com

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Sponsorship
We always welcome sponsors for our chapter meetings. If you are interested, please contact [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan]

Speakers
We are always looking for speakers to present on their topic of choice. If you are interested please contact [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan]

OWASP Toronto Chapter Committee
The current chapter leaders are [mailto:nish@securitycompass.com Nish Bhalla] and [mailto:yuk.fai.chan@owasp.org Yuk Fai Chan].

Meetings
Everyone is welcome to join us at our chapter meetings. These meetings are held every Second Wednesday of the month. Beverages and snacks are provided.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an [mailto:owasp-rsvp@securitycompass.com email]

Past Presentations For Download
The past presentations are available for download from here. If you have any comments on the presentations please send them to us.

Basic Web Application Testing Methodology by Nish Bhalla Security Compass

Basic Web Services Security by Rohit Sethi Security Compass

Authentication Security by Hui Zhu

Identity Management Basics by Derek Browne

by Trey Ford

A Laugh RIAt – Rich Internet Application Security by Rafal M. Los

[http://www.owasp.org/images/1/18/MichaelDSa-OWASP_Aug_09.pdf Will you be PCI DSS Compliant by September 2010? ] by Michael D'Sa

Mobile Security for the Forgetful by Max Veytsman, Security Compass, May 2011

Application Security ISO by Tak Chijiwa, Security Compass, May 2012

NFC Threat Landscape by Geoff Vaughan, Security Compass, March 2013