Houston

Local News
The Houston Chapter will focus around Web Application Security issues with discussions on application layer vulnerabilties, penetration testing, and secure coding practices within the numerous development languages. Our chapter will meet on the second (2nd) Wednesday of each month and participation in OWASP Houston is free and open to all. Please subscribe to the mailing list for meeting announcements. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the Houston Chapter, send an email to [mailto:david.nester_at_owasp.org David Nester].

Houston

May 13, 2009 :: Combined Sessions
Session One In this session, attendees will learn about secure connection strings in the Web.Config and App.Config files for .NET development. Presenter Mark Feferman Session Two In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:


 * Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;
 * Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and
 * Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to 'webify' online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines' operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline 'webification' process? Additionally, attendees will discover hidden data services that the airlines utilize to 'run-the-business' and the risks associated with Web-based application attacks. Presenter Quincy Jackson- CISSP, CEH Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology ("IT") profession, which include 8 years in Information Security. His career in the aviation industry began with 8 years in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. ("UWA"). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. When and Where? 5:30-6:00 Reception 6:00-7:30 Welcome, Announcements and Presentation Microsoft Campus One Briar Lake Plaza 2000 W. Sam Houston Pkwy. S. #350 Houston, TX 77042 Phone: (832) 252-4300

Past Presentations

 * April 8, 2009: "2009 Statistics Report and ClickJacking Download'''  Presentation by David Nester, Director, Solutions Architecture, Whitehat Security. WhiteHat Security presented the Sixth Installment of the Statistics Report and ClickJacking.  Clickjacking, also known as UI Redressing, is possible not because of a software bug, but because seemingly harmless features of web pages can perform unexpected actions.  A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.  For example, a user might play a game in which they have to click on some buttons, but another authentic page like a web mail site from a popular service is loaded in a hidden iframe on top of the game. The iframe will load only if the user has saved the password for its respective site. The buttons in the game are placed such that their positions coincide exactly with the select all mail button and then the delete mail button. The consequence is that the user unknowingly deleted all the mail in their folder while playing a simple game. Other known exploits have been tricking users to enable their webcam and microphone through flash which since has been corrected by Adobe, tricking users to make their social networking profile information public, make users follow someone on twitter, etc.


 * August 19, 2008: "Dirty Dozen" - Truth and facts about PCI DSS Download'''  Presentation by Genady Vishnevetsky, CISSP Director, IT Operations and Security. Paymetric, Inc presented the Truth and facts about PCI DSS.  If you haven't heard about Payment Card Industry Data Security Standard (PCI DSS), it is becoming de-facto of security standards in the industry. This presentation will cover broad range of topics on PCI Standard that would be in interest to any security professional. We will be covering many aspects and best practices that came out of PCI DSS. If you have never heard of PCI, then you will learn how it began. If you are in need of credit card processing (now or in the near future), you will learn what you need to succeed, and you will be ahead of the game. If you are a seasoned PCI professional, you will learn what is new in the last 12 months (PCI DSS 1.1, changes to SAQ, just released PA DSS. If you don't fall into any of these categories, come to listen how PCI DSS can help you in your day-to-day job to ensure that you are protected.


 * June 11, 2008: The OWASP Top 10 Download  Presentation by J Sawyer''', Developer Evangelist of Microsoft presented the OWASP Top Ten.  The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.


 * November 7, 2007: Black Box versus White Box: Different App Testing Strategies Download'''  Presentation by John Dickson of the Denim Group.  Competing approaches for application security testing have pros and cons. This presentation will look at a number of security assessment strategies-white box testing, black box testing, static analysis and dynamic analysis- discussing the benefits and drawbacks of each.


 * October 10, 2007 :: Top 10 Website Attack Techniques Download'''  During this presentation, Jeremiah Grossman will draw upon his extensive website security experience to discuss the most creative, useful and interesting Web attack techniques discovered in 2007, focusing on the top ten. This year has been significant for website hacking, with issues ranging from Cross-Site Scripting (XSS) and Cross-Site Request Forgery, to confusion about the impact of AJAX and Javascript vulnerabilities on Web 2.0 sites. Mr. Grossman will address these issues, including debunking the myth of AJAX insecurity.


 * September 12, 2007: Fortify Software Bytecode instrumentation allows a user to inject additional code into an application’s binary. This technique has traditionally been used to measure the runtime performance and test coverage of Web applications. However, bytecode instrumentation has other promising uses, including software security. As the overall security space evolves from the outside-in approach we saw with Web Application Firewalls in the 1990s, bytecode instrumentation provides the perfect opportunity to embed security into the application itself. This talk will provide an overview of bytecode instrumentation, demonstrate how the technology works, and show some concrete ways it can be used to inject security features into an application after it has been developed.


 * August 8, 2007: Atrysk Security Presentation Download  Today, hackers are manipulating Web applications inside the corporate firewall, enabling them to access and sabotage corporate and customer data as we’ve seen with very highly publicized Web hacking events in 2005 such as MySpace.com, Paris Hilton’s T-mobile phone compromise, and the perl.santy worm. Given even a tiny hole in a company’s Web application code, an experienced intruder armed with only a Web browser and a little determination can break into most Web sites. The reality is traditional Internet security is not enough because these methods do not ensure the security of your entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers). With the ever-increasing threat of cyber attacks, today’s Web environment has made application security an essential element in the application development lifecycle. We will explain and demonstrate with common Web attacks such as SQL Injection, Cross-Site Scripting (XSS), AJAX [in]Security and Session Hijacking why applications are increasingly at risk of malicious attack because of security defects and how easily they are exploited.


 * June 5, 2007 :: Web 2.0 Download''' Presentation by Dan Cornell of the Denim Group.  With the integration of new technologies into web application development, there are more security dangers than ever before to be found in the application layer.  This session discusses the landscape of web application security, new technologies being used in developing web applications and web services and the implications these have on system security.  Technical vulnerabilities in web applications such as SQL injection and cross-site scripting (XSS) will be discussed alongside logical, business-level issues.  The evolution of these flaws will be tracked as traditional web applications have expanded to include Web 2.0, AJAX and web services capabilities.  The goal of the presentation is to educate developers, project managers and quality assurance personnel about the risks inherent in developing web applications and provide meaningful recommendations for addressing those risks during the software development lifecycle. Sprajax Download.

Houston OWASP Chapter Leaders
Our chapter leaders are Mark Feferman, Linda Fox, Paul Dial and David Nester.