Difference between revisions of "Cleveland"

From OWASP
Jump to: navigation, search
(Upcoming Meetings)
(Upcoming Events:)
 
(35 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
  
 +
 +
----
 
== Upcoming Meetings ==
 
== Upcoming Meetings ==
 +
John Steven & Kevin Glavin - May 14 from 11:00am - 1:00 pm
  
'''
+
'''Presentation: Security Code Review: A Radical Departure from Everything You Know and Love (to hate) About Code Review'''
The Next Cleveland Chapter OWASP Meeting is scheduled for Wednesday, January 8th from 12pm-2pm at SecureState Headquarters! Additional Details and RSVP page to follow'''
+
  
 +
'''''Abstract:'''''
 +
Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. In this talk, experts will cover commonly asked questions such as:
  
''''
+
How can you change the way you apply source code review using modern and freely available tools in order to provide high-quality review?
Thank you to everyone who joined us for the Cleveland Chapter OWASP Meeting on April 29th at Hyland Software!'''
+
What, specifically, can you do to avoid the critical flaws we commonly find?
 +
How do you scale the effort up to an enterprise worth of applications?
 +
How do you scale the effort down to the space in which a 2 week sprint lives?
 +
And finally, how do you apply it to continuous deployment?
  
 +
'''''Speaker Bios:'''''
 +
John Steven - John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. He has been leading source code analysis for over 15 years, reviewing everything from kernels, to hypervisors and virtual machines, to massive 20+MLoC web sites and mobile apps. He’s researched static analysis tools and aspect compilers extensively and helped design and build the HP/Fortify SCA tool.  As a software developer he’s led design and development of security services and business-critical production applications for large organizations in a range of verticals. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks regularly at conferences and trade shows.
  
Video of April's Presentation, ''Threat Modeling - The First Step in Secure Application Development'', is available '''[http://marketing.securestate.com/owasp-cleveland---meeting-registration HERE]'''
+
Kevin Glavin - Kevin Glavin is a Senior Consultant who has over 10 years of experience in a variety of roles including Lead Developer, Software Assurance Specialist, and Software Security Analyst. Kevin has worked with a number of Fortune 250 and multi-national companies, as well as government agencies. As a consultant at Cigital, he has led secure code review, penetration testing (hardware, software, and network), and architectural risk analysis of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. He specializes in integrating security testing techniques into existing tools and SDLC methodologies, and leveraging DevOps practices for consistency and agility.
  
 +
---------------------------------
  
''''''Would you like to speak at an OWASP Cleveland Meeting?''''''
+
We are always looking for new speakers to present at our meetings! If you are interested in speaking at an upcoming OWASP meeting, please contact Courtney Satink at [mailto:csatink@securestate.com csatink@securestate.com] with your idea.
If we haven't approached you, but you believe you have new research that the security community would enjoy hearing about, we invite you to submit your presentation topic for consideration.  
+
  
This chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security.
+
== Past Events: ==
 +
Bill Sempf (@sempf) - January 28 from 11:00am - 1:00 pm
  
To speak at upcoming OWASP Cleveland meeting or suggest a speaker, please submit your ideas via email to Michael Wilt- [mailto:mwilt@securestate.com mwilt@securestate.com]
+
'''Presentation: Cracking and Fixing REST Services'''
 +
 
 +
'''''Abstract:'''''
 +
REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.
 +
 
 +
'''''Speaker Bios:'''''
 +
Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.
 +
 
 +
Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.
 +
 
 +
---------------------------------
 +
 
 +
Márion Nepomuceno & Kris French - July 17 from 11:00am - 1:00pm
 +
 
 +
'''Presentation: Security Omnipresence: Infiltrating Every Level of a Mature Development Lifecycle'''
 +
 
 +
'''''Abstract:'''''
 +
It’s easy for a security professional to feel like he’s alone, especially when there are already mature processes in place designed to function without him. And if he does finally break into the development lifecycle, he certainly can’t be everywhere at once. Or can he? We’ll show you how we infiltrated the development lifecycle, spread the message of security, and recruited shadowy agents of change to achieve security omnipresence.
 +
 
 +
This presentation tells the story of how we were able to integrate concepts from the MS security development lifecycle into the long-established processes in our company. We'll talk about how the initiative started independently in 2 departments for different reasons, yet we combined all our efforts to create a very effective and customized security program.
 +
 
 +
From our participation in local infosec groups and meetings, we realized that security professionals are having trouble truly integrating security into their company's processes and culture. This talk actually was born from a request by our local OWASP chapter for us to tell the story of how we got as far as having QA doing security testing on top of Development following SDL practices.
 +
 
 +
Moreover, people seem to get hung up on the idea that security tools and software will solve their problems, when that's not the case. Security is all about the mindset, and that's one of the main points we want to convey.
 +
 
 +
'''''Speaker Bios:''''' Marion Nepomuceno - is a security engineer at Hyland Software in charge of developing training materials, and working closely with the nearly 200-person development staff on improving their secure coding skills and the security of the product. Marion has given several presentations and classes to audiences of varying sizes on the topic of security concepts and the SDL. He headed up the project to re-fit Microsoft's SDL processes to work within Hyland which houses several different waterfall-based and agile processes. This project has enjoyed significant success that has drawn the attention of the local security community.
 +
 
 +
Kris French - is a security tester at Hyland Software, and single-handedly created the security program for the QA department. Kris is in charge of creating training materials, creating and leading classes for his security-focused internal education track, managing the QA security champions group, and collaborating with development to aid in the creation of an overall security direction for the company. Kris is also an active member in his local security community and frequent contributor to the proceedings of the OWASP Cleveland chapter.
 +
How to foster company-wide adoption
 +
 
 +
---------------------------------
 +
 
 +
 +
Bill Sempf (@sempf) - Thursday, April 10 from 11:30am - 2:00 pm
 +
 
 +
'''Presentation: Information Disclosure: Looking Beyond Vulnerabilities to Freebies'''
 +
 
 +
'''''Abstract:'''''
 +
While the application security community is focused on tools that test for various vulnerabilities, your servers, developers and organization could be giving out valuable details that just makes an attacker's job so much easier - free information. No vulnerability scanner will find the Stack Overflow post with admin credentials, or the 'hidden' file with a test account, or that obscure error message that makes your database barf. Bill will take you through hands on testing that you can try today: finding out about what your applications, servers, networks, and people are telling attackers about your innermost secrets.
 +
 
 +
'''''Speaker Bio:'''''
 +
Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.
 +
 
 +
Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.
 +
 
 +
---------------------------------
 +
 
 +
Chris Clymer - Wednesday, January 8th from 11:00am - 2:00pm
 +
 
 +
'''Presentation: "Lessons Learned from HealthCare.gov - Integrating Security into Complex Software Deployments"'''
 +
 
 +
Video of January's Presentation, ''Lessons Learned from HealthCare.gov'', is available '''[http://engage.securestate.com/owasp-cleveland-registration HERE]'''
 +
 
 +
'''''Abstract:'''''
 +
The recent problems with Healthcare.gov highlight the fact that many organizations still struggle to secure applications they develop. During this talk, SecureState will take an apolitical approach to looking at what lessons can be learned from the Healthcare.gov rollout and how these lessons can be applied to software you are developing. During this talk, SecureState will use firsthand experience gained from helping a state based health exchange become operational and compliant to the various federal security standards, as well as public information on the security challenges the national exchange faces.
 +
 
 +
'''''Speaker Bio:'''''
 +
Chris Clymer - As the Manager of SecureState’s Advisory Services practice, Chris Clymer works on the design and management of Security Programs as clients’ Security Program Manager (SPM). Chris’s core strengths of developing complex strategies and establishing specific priorities are keys to his ability to provide expert advisory leadership to clients looking to him for guidance. His expertise at defining objectives and conducting in-depth research also serves him well in this capacity. Chris questions frequently and thoroughly, initiates innovation, and improvises solutions – all valuable skills for leading our Advisory Services practice. Chris holds several industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT), and provisional ISO 27001 Auditor.
 +
 
 +
---------------------------------
  
== '''Past Events:''' ==
 
 
Matt Neely & Tom Eston - Monday, April 29th from 11:00am - 2:00pm
 
Matt Neely & Tom Eston - Monday, April 29th from 11:00am - 2:00pm
  
 
'''Presentation: "Threat Modeling - The First Step in Secure Application Development"'''
 
'''Presentation: "Threat Modeling - The First Step in Secure Application Development"'''
 +
 +
Video of April's Presentation, ''Threat Modeling - The First Step in Secure Application Development'', is available '''[http://marketing.securestate.com/owasp-cleveland---meeting-registration HERE]'''
 +
  
 
'''''Abstract:'''''
 
'''''Abstract:'''''
Line 39: Line 110:
 
Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.
 
Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.
  
 +
---------------------------------
  
 
Joe Kuemerle - Tuesday, December 18th from Noon – 2 p.m.
 
Joe Kuemerle - Tuesday, December 18th from Noon – 2 p.m.
Line 50: Line 122:
 
Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.
 
Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.
  
 +
---------------------------------
  
 
Kevin Johnson - Tuesday, March 22nd Noon – 2pm
 
Kevin Johnson - Tuesday, March 22nd Noon – 2pm
Line 62: Line 135:
 
'''''Speaker Bio:'''''
 
'''''Speaker Bio:'''''
 
Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.  
 
Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.  
 +
 +
---------------------------------
  
 
==== Chapter Meetings ====
 
==== Chapter Meetings ====

Latest revision as of 17:29, 30 April 2015

OWASP Cleveland

Welcome to the Cleveland chapter homepage. The chapter leader is Ken Stasiak
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG



Upcoming Meetings

John Steven & Kevin Glavin - May 14 from 11:00am - 1:00 pm

Presentation: Security Code Review: A Radical Departure from Everything You Know and Love (to hate) About Code Review

Abstract: Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. In this talk, experts will cover commonly asked questions such as:

How can you change the way you apply source code review using modern and freely available tools in order to provide high-quality review? What, specifically, can you do to avoid the critical flaws we commonly find? How do you scale the effort up to an enterprise worth of applications? How do you scale the effort down to the space in which a 2 week sprint lives? And finally, how do you apply it to continuous deployment?

Speaker Bios: John Steven - John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. He has been leading source code analysis for over 15 years, reviewing everything from kernels, to hypervisors and virtual machines, to massive 20+MLoC web sites and mobile apps. He’s researched static analysis tools and aspect compilers extensively and helped design and build the HP/Fortify SCA tool. As a software developer he’s led design and development of security services and business-critical production applications for large organizations in a range of verticals. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks regularly at conferences and trade shows.

Kevin Glavin - Kevin Glavin is a Senior Consultant who has over 10 years of experience in a variety of roles including Lead Developer, Software Assurance Specialist, and Software Security Analyst. Kevin has worked with a number of Fortune 250 and multi-national companies, as well as government agencies. As a consultant at Cigital, he has led secure code review, penetration testing (hardware, software, and network), and architectural risk analysis of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. He specializes in integrating security testing techniques into existing tools and SDLC methodologies, and leveraging DevOps practices for consistency and agility.


We are always looking for new speakers to present at our meetings! If you are interested in speaking at an upcoming OWASP meeting, please contact Courtney Satink at csatink@securestate.com with your idea.

Past Events:

Bill Sempf (@sempf) - January 28 from 11:00am - 1:00 pm

Presentation: Cracking and Fixing REST Services

Abstract: REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.

Speaker Bios: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.


Márion Nepomuceno & Kris French - July 17 from 11:00am - 1:00pm

Presentation: Security Omnipresence: Infiltrating Every Level of a Mature Development Lifecycle

Abstract: It’s easy for a security professional to feel like he’s alone, especially when there are already mature processes in place designed to function without him. And if he does finally break into the development lifecycle, he certainly can’t be everywhere at once. Or can he? We’ll show you how we infiltrated the development lifecycle, spread the message of security, and recruited shadowy agents of change to achieve security omnipresence.

This presentation tells the story of how we were able to integrate concepts from the MS security development lifecycle into the long-established processes in our company. We'll talk about how the initiative started independently in 2 departments for different reasons, yet we combined all our efforts to create a very effective and customized security program.

From our participation in local infosec groups and meetings, we realized that security professionals are having trouble truly integrating security into their company's processes and culture. This talk actually was born from a request by our local OWASP chapter for us to tell the story of how we got as far as having QA doing security testing on top of Development following SDL practices.

Moreover, people seem to get hung up on the idea that security tools and software will solve their problems, when that's not the case. Security is all about the mindset, and that's one of the main points we want to convey.

Speaker Bios: Marion Nepomuceno - is a security engineer at Hyland Software in charge of developing training materials, and working closely with the nearly 200-person development staff on improving their secure coding skills and the security of the product. Marion has given several presentations and classes to audiences of varying sizes on the topic of security concepts and the SDL. He headed up the project to re-fit Microsoft's SDL processes to work within Hyland which houses several different waterfall-based and agile processes. This project has enjoyed significant success that has drawn the attention of the local security community.

Kris French - is a security tester at Hyland Software, and single-handedly created the security program for the QA department. Kris is in charge of creating training materials, creating and leading classes for his security-focused internal education track, managing the QA security champions group, and collaborating with development to aid in the creation of an overall security direction for the company. Kris is also an active member in his local security community and frequent contributor to the proceedings of the OWASP Cleveland chapter. How to foster company-wide adoption



Bill Sempf (@sempf) - Thursday, April 10 from 11:30am - 2:00 pm

Presentation: Information Disclosure: Looking Beyond Vulnerabilities to Freebies

Abstract: While the application security community is focused on tools that test for various vulnerabilities, your servers, developers and organization could be giving out valuable details that just makes an attacker's job so much easier - free information. No vulnerability scanner will find the Stack Overflow post with admin credentials, or the 'hidden' file with a test account, or that obscure error message that makes your database barf. Bill will take you through hands on testing that you can try today: finding out about what your applications, servers, networks, and people are telling attackers about your innermost secrets.

Speaker Bio: Bill Sempf - In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with internetworking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio.

Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.


Chris Clymer - Wednesday, January 8th from 11:00am - 2:00pm

Presentation: "Lessons Learned from HealthCare.gov - Integrating Security into Complex Software Deployments"

Video of January's Presentation, Lessons Learned from HealthCare.gov, is available HERE

Abstract: The recent problems with Healthcare.gov highlight the fact that many organizations still struggle to secure applications they develop. During this talk, SecureState will take an apolitical approach to looking at what lessons can be learned from the Healthcare.gov rollout and how these lessons can be applied to software you are developing. During this talk, SecureState will use firsthand experience gained from helping a state based health exchange become operational and compliant to the various federal security standards, as well as public information on the security challenges the national exchange faces.

Speaker Bio: Chris Clymer - As the Manager of SecureState’s Advisory Services practice, Chris Clymer works on the design and management of Security Programs as clients’ Security Program Manager (SPM). Chris’s core strengths of developing complex strategies and establishing specific priorities are keys to his ability to provide expert advisory leadership to clients looking to him for guidance. His expertise at defining objectives and conducting in-depth research also serves him well in this capacity. Chris questions frequently and thoroughly, initiates innovation, and improvises solutions – all valuable skills for leading our Advisory Services practice. Chris holds several industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT), and provisional ISO 27001 Auditor.


Matt Neely & Tom Eston - Monday, April 29th from 11:00am - 2:00pm

Presentation: "Threat Modeling - The First Step in Secure Application Development"

Video of April's Presentation, Threat Modeling - The First Step in Secure Application Development, is available HERE


Abstract: Application security issues continue to be a growing concern for businesses large and small. In fact, many people would be surprised to find that some of the most popular mobile apps downloaded are vulnerable to issues found in the OWASP Mobile Top 10 list of common vulnerabilities.

To address these issues security needs to be integrated into the software development life cycle (SDLC) used by the developers. When developing an application in a secure manner threat modeling is an important but often forgotten first step.

This talk will start out an overview of where to integrate security into the SDLC process. The remainder of the talk will focus on the threat modeling portion of the SecSDLC. During this stage the OWASP Mobile Threat Model will be introduced. To provide real world examples vulnerabilities found in many of the top 25 downloaded apps found in the Apple App Store and Google Play will be covered.

Speaker Bios: Matt Neely is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm. At SecureState Matt leads the Research and Innovation team which focuses on imagining, researching and developing methodologies and tools that will solve industry related issues. In addition to Matt’s technical background, his strong understanding of business processes and organizational structure allow him to meet the security needs of the business world. Matt is a regular speaker at various business and security user groups and conferences including Black Hat, Defcon, THOTCON and ShmooCon. Matt recently published the book Radio Reconnaissance in Penetration Testing.

Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.


Joe Kuemerle - Tuesday, December 18th from Noon – 2 p.m.

Presentation: Reverse Engineering .NET and Java

Abstract: Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. Enjoy a demo filled session on how easy it is to extract information from virtually any .NET or Java application.

Speaker Bio: Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.


Kevin Johnson - Tuesday, March 22nd Noon – 2pm

Presentation:“Ninja Developers: Application Security Testing and Your SDLC.”

Abstract: The security of enterprise software is one of the key risks organizations can start to control today. As new applications are developed and legacy software is updated, incorporating a measure of security testing can be one of the most critical ways to positively impact an organizations security posture. To properly validate the security of enterprise applications a 3rd party penetration test or assessment may be enlisted - but the cost of testing each application quickly makes this impractical. This situation presents a challenging problem.

Kevin Johnson will explain how your development staff can incorporate techniques distilled from years of experience into your organization's development and release methodology. Whether you're using Agile, RUP or Google programming, these tips and tricks will enable your developers to produce higher quality, more secure code right from the start. Kevin will reveal some of the secrets of the masters learned from experience and industry leadership over the past decade - and show you how you can insert security into your software development lifecycle with minimal disruption and maximum effectiveness.

Speaker Bio: Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.


Chapter Meetings

To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Our chapter is sponsored by SecureState.


Cleveland OWASP Chapter Leaders

The chapter leader is Ken Stasiak