Bay Area

Revision as of 13:26, 5 May 2010 by Jmanico (talk | contribs)

Jump to: navigation, search

OWASP Bay Area

Welcome to the Bay Area chapter homepage.
Click here to join the local chapter mailing list.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local Jim Manico News

<paypal>Bay Area</paypal>

Chapter Meetings

Date and Location

OWASP Bay Area will host its next Application Security Summit at the Fujitsu Offices in Sunnyvale on February 25th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. We have an excellent line-up of speakers.

Please note that due to security issues, your must pre-register. The registration will ask you for citizenship/permanent residence status as well. Badges will be ready for the registered attendees at the lobby where you will check in.

WHAT: OWASP Bay Area Chapter - Application Security Summit WHEN: Thursday, February 25th, 2010 - From 1 P.M. to 8.00 P.M. (including a reception from 6.30 to 8.00)

WHERE: Fujitsu Offices, Sunnyvale - See below for directions

Venue and Directions:

Fujitsu Sunnyvale Campus (Building H) 1250 E. Arques Avenue Sunnyvale, CA 94085

Fujitsu Policy : Please note that you will be asked to sign and write down your country of citizenship in order to comply with US Customs regulations and C/TPAT (Customs Trade Partnership Against Terrorism) certifications. As part of the compliance, we regrettably are not able to allow attendance to those who hold the citizenship of Cuba, Iran, North Korea, Sudan, or Syria without a US Green Card. We sincerely apologize for any inconvenience this may cause.


Please RSVP by registering at


1.00 PM - 1.15 PM
Check-in, registration, networking
1:15 PM - 1:30 PM
Welcome Remarks and Overview of OWASP Bay Area - Mandeep Khera, Bay Area Chapter Leader Media:Welcome_Remarks_and_Overview_of_OWASP_Bay_Area_-_Mandeep_Khera,_Bay_Area_Chapter_Leader.ppt
1:30 PM - 2:15 PM
Keynote - Kaj van de Loo, SVP Platforms & On Demand, SAP and Yuecel Karabulut, PH.D., Chief Security Advisor 7 Head of Security Strategy, SAP Labs, LLC - File:022510-OWASP-Keynote-KajYuecel-final.pdf
2:15 PM - 3:00 PM
WebBlaze: New Techniques and Tools for Web Security - Dawn Song, Associate Professor, UC Berkeley - File:Fujitsu-owasp-feb-10.pdf
3:00 PM - 3:30 PM
Networking Break, refreshments
3:30 PM - 4:00 PM
State of the Art: Automated Black-Box Web app testing- Prof. John Mitchell, Stanford University and Jason Bau, PH.D. Student, Stanford - File:Black Box Scanner Presentation.pdf
4:00 PM - 4:30 PM
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control - Richard Chow, PARC - File:Richard Chow OWASP 02252010.pdf
4.30 PM - 4.45 PM
4.45 PM - 6.00 PM
Panel - App Security issues - Cloud Security, Inertia with App Security, Future of App Security - Q&A from the audience - Panelists: Prof Dawn Song; Richard Chow; Lars Ewe, CTO; Cenzic Moderator: Mandeep Khera
6.00 PM - 8.00 PM
Networking Reception - Dinner and Drinks!

Detailed Abstracts and Speaker Bios

WebBlaze: New Techniques and Tools for Web Security I will present the WebBlaze project, aiming at designing and developing new techniques and tools to improve web security. WebBlaze's new technologies cover a broad range including new architectural solutions for defending against cross-site scripting attacks, tools for detecting and defending against cross-origin JavaScript capability leaks which lead to universal cross-site scripting attacks, and new approaches for secure browser extensions and web advertisements. In this talk, I will focus on two sample techniques in WebBlaze: (1) dynamic analysis and symbolic reasoning of JavaScript to detect client-side input validation vulnerabilities; (2) program binary analysis to extract security-related models from browsers to detect new classes of vulnerabilities such as content-sniffing vulnerabilities. Our techniques and tools have discovered previously unknown vulnerabilities in browsers and popular web applications. Some of the solutions in WebBlaze have been adopted by mainstream browsers and industry standards and deployed on millions of machines.
Bio – Prof. Dawn Song
Dawn Song is an Associate Professor in the department of Electrical Engineering and Computer Science at University of California, Berkeley. She obtained her B.S. in Physics from Tsinghua University in China in 1996, her M.S. in Computer Science from Carnegie Mellon University in 1999, and her Ph.D. in Computer Science from UC Berkeley in 2002. Prior to joining UC Berkeley, she was an Assistant Professor at Carnegie Mellon University from 2002 to 2007. Her research interest lies in security and privacy issues in computer systems and networks, including areas ranging from software security, networking security, database security, distributed systems security, to applied cryptography. She is the recipient of various awards including the NSF CAREER Award, the Alfred P. Sloan Research Fellowship Award, the IBM Faculty Award, the George Tallman Ladd Research Award, the Okawa Foundation Research Award, and the Li Ka Shing Foundation Women in Science Distinguished Lecture Series Award. She is also the author of multiple award papers in top security conferences, including the Best Paper Award at the USENIX Security Symposium and the Highest Ranked Paper Award at the IEEE Symposium on Security and Privacy. Recently she was awarded the MIT Technology Review TR-35 Award, recognizing her as one of the world's top innovators under the age of 35.

State of the Art: Automated Black-Box Web app testing

Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabilities found in the wild. To conduct our study we used a custom web application vulnerable to known and projected vulnerabilities, and previous versions of widely used web applications containing known vulnerabilities. Our results show the promise and effectiveness of automated tools, as a group, and also some limitations. In particular, “stored” forms of Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities are not currently found by many tools. Because our goal is to assess the potential of future research, not to evaluate specific vendors, we will not report comparative data or make any recommendations about purchase of specific tools.
Bio – Prof. John Mitchell John Mitchell is the Mary and Gordon Crary Family Professor in the Stanford Computer Science Department. His research in computer security focuses on web security, network security, privacy, and distributed authorization management. He has also worked on programming language analysis and design, formal methods, and applications of mathematical logic to computer science. Prof. Mitchell currently leads research projects funded by the US Air Force, the Office of Naval Research, private companies and foundations, and he is the Stanford Principal Investigator of the multidisciplinary TRUST NSF Science and Technology Center. He is a consultant and advisor to a number of companies and is the author of over 140 research articles and two books.

Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control Cloud computing is clearly one of today's most enticing technology areas. However, despite the surge in activity and interest, there are significant, persistent concerns about cloud computing that are impeding momentum and will eventually compromise the vision of cloud computing as a new IT procurement model. In this survey talk, we characterize the problems and their impact on adoption. In addition, we describe some existing research thrusts with the potential to alleviate some of the concerns impeding adoption.
Bio – Richard Chow
Richard Chow works in the security and privacy group at the Palo Alto Research Center. Richard is interested in systems security, fraud detection, and privacy. Some of his achievements include architecting Yahoo!'s click-fraud protection system and the security and DRM components for Motorola's first Java-based phone platform. He has played a lead role at three startups and was also a founder of Trusted Systems Laboratories, which brought high-assurance security systems to the commercial market. Richard received his Ph.D. in Mathematics from UCLA.


Please RSVP by registering at

Bay Area Past Events

Bay Area Past Events

Bay Area OWASP Chapter Leaders