Bay Area Past Events
March 14, 2012
Hosted by Astech Consulting Location: Chinese Historical Society of America 965 Clay Street, San Francisco, CA 94108 http://www.chsa.org/
John Kinsella, Rebuilding for the Cloud - How cloud architecture can improve application security
Tin Zaw, Cucumber and friends: tools for security that matters
From August through the end of year, 2011, there were 3 events, one at PG&E in downtown San Francisco, and another at a restaurant in the financial district in San Francisco. But, the highlight of the autumnal Bay Area OWASP events was this one, held on November 30:
November 30, 2011
Stanford Campus, Alumni Center, Lane/Ladato rooms Directions: http://www.stanfordalumni.org/aboutsaa/alumni_center/directions.html Parking will be available on Galvez field right next to the center. Agenda
5:30pm - Welcome
5:40pm - Jason Chan, Practical Cloud Security Slides
6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm Slides
6:50pm - David Fifield, Evading censorship with browser-based proxies Slides
7:25pm - Abraham Kang, DOM-based XSS and output encoding Slides
You must RSVP at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.
Jason Chan - Practical Cloud Security Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage. Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities. This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include: • Using public cloud automation and APIs to enhance security visibility • Netflix’s “Security Monkey” tool for cloud security monitoring and alerting • Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization • Netflix’s model-driven architecture for securing and managingsystems and applications • Call to action: Cloud Security Gap Analysis and Next Steps
Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.
David Fifield - Evading censorship with browser-based proxies Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.
Abraham Kang - DOM-based XSS and output encoding An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding. Previous Event
WHAT: OWASP Silicon Valley Chapter Meeting
WHEN: Thursday, August 25th, 2011 - From 6 PM to 8.30 PM
WHERE: Mozilla Foundation Offices - 650 Castro Street, Unit 300, Mountain View , CA 94041
(right next to Starbucks)
REGISTER EARLY AS SEATING IS LIMITED
Please RSVP by registering at http://www.regonline.com/owaspsiliconvalleychaptermeeting
6:00 PM - 6:30 PM .............Check-in, registration, networking 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler
SPONSORS: Special Thanks to our host and sponsor - Mozilla Foundation. This is an archive page of all the Bay Area OWASP past events. The chapter home is at Bay Area.
OWASP Bay Area will host its next Application Security Summit at the SAP Offices in Palo Alto on July 1st, 2010. As usual attendance is free and food and beverages will be provided. This is an excellent event with great speakers and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.
We have an excellent line-up of speakers.
Please note that due to security issues, your must pre-register. Badges will be ready for the registered attendees at the lobby where you will check in.
WHAT: OWASP Bay Area Chapter - Application Security Summit
WHEN: Thursday, July 1st, 2010 - From 9 A.M. to 3.00 P.M.
WHERE: SAP Offices, Palo Alto - See below for directions
Venue and Directions:
3410 Hillview Ave, Palo Alto, Building 1 Executive Briefing Center (2nd Floor)
Directions on SAP Labs Web Site. Also on the Event Registration Page.
Parking - You can park in the visitor parking or any of the open spaces at any level of the parking lot.
REGISTER EARLY AS SEATING IS LIMITED
Please RSVP by registering at http://owaspbajuly2010.eventbrite.com/
| 8:45 AM - 9:00 AM
|| Check-in, registration, breakfast, networking|
| 9:00 AM - 9:15 AM
|| Welcome Remarks and Overview of OWASP Bay Area - Mandeep Khera, Bay Area Chapter Leader - File:OWASP Mandeep Khera BA July10.pdf |
| 9:15 AM - 10:00 AM
|| Drive By Downloads- How to Avoid Getting A Cap Popped in your App - Neil Daswani, Co-founder, Dasient- File:OWASP Dasient 7 1 10.pdf|
| 10:00 AM - 10:45 AM
|| Building Secure Web Applications In a Cloud Services Environment - Misha Logvinov, VP of Online Operations, IronKey and Alex Bello, Director of Technical Operations and Product Security, IronKey- File:OWASP-Building-Secure-Web-Apps-070110.pdf|
| 10:45 AM - 11:15 AM
|| Networking Break, refreshments|
| 11:15 AM - Noon
|| Cloudy with a Chance of Hack - Lars Ewe, CTO and VP of Engineering, Cenzic- File:OWASP Cloudy with a chance of hack.pdf|
| Noon - 1:30
|| Networking Lunch |
| 1:30 PM - 2:15 PM
|| Application Security Deployment Tradeoffs - Anoop Reddy, Senior Manager, Products, Citrix - File:OWASP-July-Anoop.pdf |
| 2:15 PM - 3:00 PM
|| MashUp SSL - Extending SSL for Security Mashups - Siddharth Bajaj, Principal Engineer, Verisign - File:MashSSL OWASP Presentation june2010.pdf |
Detailed Abstracts and Speaker Bios
Drive By Downloads: How To Avoid Getting A Cap Popped In Your App: Which browser do you claim? What color is your screen-saver? It is a world wide hood out there, don’t let yourself become the next victim of a drive by… a drive by download. Email attachments have become synonymous with computer viruses and consumers have become accustom to questioning the legitimacy of email touting male enhancement drugs and lottery winnings. This means hackers are having to come up with new ways to distribute malware. Today, just by loading an infected webpage of from a legitimate website, a virus can be downloaded without any other interaction and will often go undetected. Once the virus is on a PC, hackers can access the computer remotely and steal sensitive information like banking passwords, send out spam or install more malicious executables.
In this talk, we describe in technical detail the "anatomy of a modern web-based malware attack." Web-based malware attacks have evolved significantly over the past 4 years. We present the state-of-the-art in web-based malware attacks and describe how the techniques used have evolved over time.
Bio - Neil Daswani is a co-founder of Dasient, Inc., a security company backed by some of the most influential investors in Silicon Valley and New York. In the past, Neil has served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). He has published extensively, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g. More information about Neil is available at http://www.neildaswani.com.
Building Secure Web Applications: This presentation will go over core principles involved in launching secure web applications and effectively managing security in a cloud services environment. We will discuss best practices for implementing security programs, review examples of things done right and wrong, and address specific steps required for creating and maintaining a sustainable security framework for your web applications.
Bio - Misha Logvinov is the Vice President of Online Operations at IronKey. In this position, Mr. Logvinov and his team are responsible for designing, implementing and supporting a highly-scalable mission critical infrastructure for IronKey's next-generation security products and services. Mr. Logvinov brings to IronKey over a decade of management experience in information technology, operations and security. Throughout his career, he has been responsible for implementing hundreds of customer solutions, supporting millions of online users, managing complex backoffice applications and building some of the world's most secure online service environments. Prior to IronKey, Mr. Logvinov spent six years at Yodlee, one of the leading online financial service providers. He held various management roles during his tenure, most recently, as Director of Operations Delivery. Mr. Logvinov's earlier experiences included IT management at Outcome, Inc. and INTERSHOP Communications. Mr. Logvinov holds a BA in Business Administration from Plekhanov Russian Academy of Economics. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).
Bio - Alex Bello has been involved in the computer security field for the last six years with over ten years of combined experience in technical operations, web application development and security. Mr. Bello is currently serving as the Director of Technical Operations and the Product Security Team Lead at IronKey. Mr. Bello is responsible for architecture, operations and security management of the IronKey online services portfolio as well as IronKey products security testing and research. Prior to IronKey, Mr. Bello spent over three years consulting for various security organizations on infrastructure architecture, security research and web application development projects. Earlier in his career, Mr. Bello managed technical operations at one of the biggest online social marketplaces. In addition to his work at IronKey, for the last five years Mr. Bello has been responsible for technical operations and engineering at Anti-Phishing Working Group (APWG) supporting data aggregation, processing and consumption technologies behind one of the largest anti-phishing UBLs.
Cloudy with a chance of a hack: Cloud computing is a cost effective and efficient way for enterprises to automate their processes. However organizations need to be aware of the pitfalls of the many cloud computing solutions out there - one of the main ones being security. Most of these solutions were built for ease of use and without necessarily security in mind. Companies should ask the solution provider the security measures used in developing the application and get an independent verification to make sure there are no gaping holes. With over 75% of attacks occurring through the Web, any attack through these applications can lead to leakage of confidential information and embarrassment.
Bio – Lars Ewe: Chief Technology Officer and VP of Engineering for Cenzic. Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.
Application Security Deployment Tradeoffs: Application security tradeoffs and choices are made at various stages of application design, development and deployment. This talk will cover deployment aspects of application security. Based on experience in designing, developing and deploying application security solutions and products for the past 10 years, I will do a case study based analysis of security costs and tradeoffs. Specifically, we will correlate security choices during deployment with our observations regarding the relatively higher adoption of security features and products that have an incremental deployment plan over those that are more intrusive and/or are operationally more expensive.
Bio – Anoop Reddy Anoop Reddy has been working in Security and Application Firewalls for the past 8 years and has led many innovations as part of Teros and Citrix. He was the Architect and Technical Lead at Teros and now manages the Engineering Development for the Application Firewall product lines at Citrix.
MashSSL - Extending SSL for securing mashups: In this presentation we will describe MashSSL and how it can be used to solve a fundamental Internet security problem - when two web applications communicate through a potentially un-trusted user they do not have any standard way of mutually authenticating each other and establishing a trusted channel. MashSSL is a new multi-party protocol that has been expressly designed to inherit the security properties of SSL, and to be able to leverage its trust infrastructure. We will also discuss how this can be used to secure a variety of multi-party environments including mashups using Cross-domain XHR, OpenAJAX, as well as scenarios such as OpenID and OAuth.
Bio – Siddharth Bajaj is researching new technologies in the areas of Internet Trust, Identity and Authentication including how these can be applied to solve problems in verticals such as healthcare, online content and cloud computing. Siddharth has been with VeriSign since 1999 and has fulfilled variety of technical leadership roles. He was involved in the development of the VeriSign PKI services platform as well as the early conceptualization and architecture of more recent VeriSign products such as UA and VIP.
Please RSVP by registering at http://owaspbajuly2010.eventbrite.com/
- Location: Fujitsu, Sunnyvale
- Speaker: Mandeep Khera, Bay Area Chapter Leader : Welcome Remarks and Overview of OWASP Bay Area- Media:Welcome_Remarks_and_Overview_of_OWASP_Bay_Area_-_Mandeep_Khera,_Bay_Area_Chapter_Leader.ppt
- Speakers: Keynote - Kaj van de Loo, SVP Platforms & On Demand, SAP and Yuecel Karabulut, PH.D., Chief Security Advisor 7 Head of Security Strategy, SAP Labs, LLC - Media:022510-OWASP-Keynote-KajYuecel-final.pdf
- Speaker: Dawn Song, Associate Professor, UC Berkeley - WebBlaze: New Techniques and Tools for Web Security - Media:Fujitsu-owasp-feb-10.pdf
- Speakers: Prof. John Mitchell, Stanford University and Jason Bau, PH.D. Student, Stanford: State of the Art: Automated Black-Box Web app testing- - Media:Black Box Scanner Presentation.pdf
- Speaker: Richard Chow, PARC - Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control - Media:Richard Chow OWASP 02252010.pdf
- Speakers: Panel - App Security issues - Cloud Security, Inertia with App Security, Future of App Security - Q&A from the audience - Panelists: Prof Dawn Song; Richard Chow; Lars Ewe, CTO; Cenzic Moderator: Mandeep Khera
- Location:Stanford University
- Speaker: Mandeep Khera : Welcome Remarks and Overview of OWASP Bay Area
- Speaker: Lars Ewe, CTO, Cenzic : Development Issues Within AJAX Applications: How to Divert Threats
- Speaker: Rob Jeronek, Intuit: Building a Corp App Security Assessment Program
- Speaker: Siva Ram, AppSec: Mastering Session Management
- Speaker: Brian Contos, Imperva: From Rivals to BFF: WAF & VA Unite
- Location: San Francisco Federal Reserve Bank Office, San Francisco, CA
- Speaker: Jeremy Brotherton: Analyzing Web Malware
- Speaker: Dave Maynor: Mobile Device Security
- Location: Gap Inc, Conference Center C, 2 Folsom Street, San Francisco, CA 94105
- Speaker: Brendan O’Conner: Back to the Future - Phishing and Malware
- Speaker: Kirk Greene: Testing Methodologies: White-box, Gray-Box, Black-box or Something Else
- Location: Network Meeting Center, TechMart Center, 5201 Great America Parkway, Santa Clara, CA 95054
- Speaker: Brian Shura: Protecting Website Users from Each Other
- Speaker: Trey Ford: Making Money the Black Hat Way
- Location: Microsoft, 1065 La Avenida St, Mountain View, CA 94043
- All Presentations | Evaluation Data
- Speaker: Mandeep Khera: Overview of the OWASP Bay Area Chapter
- Speaker: Dr. Chenxi Wang: Consumerization of enterprises
- Speaker: Collin Jackson: Cross-Site Request Forgery
- Speaker: Tom Stracener: Google Gadget Security
- Speaker: Neil Daswani: How Cybercriminals Steal Money
- Location: PG&E,245 Market Street, San Francisco, CA 94105
- Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications
- Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance
- Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305
- Speaker: Niels Provos, Google: Ghosts in the Browser
- Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations
- Sponsors: Cenzic and AppSec Consulting