Difference between revisions of "Columbus"

From OWASP
Jump to: navigation, search
(40 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:OWASP Chapter]]__NOTOC__
+
__NOTOC__  
  
==== Local News ====
+
==== Local News ====
  
== Q2 Meeting Announcement - June 10th, 1PM - Defensible .NET ==
+
== Summer 2012 Meeting ==
  
'''Presented by Jason Montgomery, Sr. Security Specialist, Active Technologies Group, Inc.'''
+
The third quarterly meeting for the Columbus chapter of OWASP will be held on September 13th at 1 in the afternoon, and will feature two powerhouses from the national InfoSec stage. Jim Manico from White Hat security will be speaking on the Top 10 Web Defenses, and Brent Huston from Microsolved will be speaking on malware analysis. The meeting will be at Improving Enterprise Ohio office (4449 Easton Way, Suite 100, Columbus, OH 43219 614-573-7405). Hope to see everyone there. [http://columbusowasp2012q3.eventbrite.com/ Register here]. This is not one to be missed, people.
  
ASP.NET and the .NET framework have become the preferred foundation underlying enterprise applications. While Microsoft has prioritized integrating security into the ASP.NET framework, attacks at the application layer are dramatically increasing.  How effective are the security controls built into the ASP.NET framework?  Application developers must understand the limitations of the framework and ensure their code is secure.  Focusing on the OWASP top ten, Jason Montgomery will explain the latest defensive techniques specific to the ASP.NET environment.  Jason is Sr. Security Specialist at Active Technologies Group, Inc. (ATGi).  He is a SANS instructor in .NET application security and co-author of the secure coding certification, GSSP.NET. Jason has spent the past five years guiding software security practices at the Department of Defense, and currently leads ATGi’s secure software development and assessment practice.
+
== OWASP Membership ==
  
''Location and further detail coming soon!''
+
At the Q3 meeting, there were a lot of questions about membership.  Membership supports the many projects that OWASP in involved in, including ESAPI. [http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters Learn more about membership here].  Remember to tell them you are interested in membership in the Columbus chapter.
  
== 3rd Annual Central Ohio Infosec Summit ==
+
==== Chapter Info  ====
  
May 6th and 7th, [http://www.infosecsummit.org/register.aspx/ Registration is now open]
+
== Stay in touch with Columbus OWASP  ==
  
The goal of this event is to educate regional Information Security professionals and support collaboration by bringing leading speakers in the information security field together to educate the community on the latest industry trends and issues.
+
*The first stop to connecting with the community is our [http://lists.owasp.org/mailman/listinfo/owasp-columbus mailing list], feel free to contribute and interact with the list - it's not just for listening!
  
This Information Security Conference will provide information security professionals with the most up-to-date information, tools, trends, legislative information, products, services, and strategies for addressing information security issues. The conference will focus on key topics related to information security with presentations provided by recognized experts and exhibits by some of the nation’s leading organizations.
+
*We're a group on [http://www.linkedin.com/groups?home=&gid=2796025 LinkedIn] as well, please join us.  
  
Fees to attend this conference are as follows (membership will be validated):
+
== Become a voting member  ==
  
  * $50 - Before April 30th - ISSA, ISACA, (ISC)^2, OWASP, or InfraGard Members
+
We encourage organization and individual supporters of our [http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project ethics & principals] to become a voting '''[http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters MEMBER]'''. Please review the [[Chapter Rules]] and the [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP overview], and [mailto:columbusowasp(at)gmail.com contact the chapter leaders] for more information.
  * $65 - After April 30th - ISSA, ISACA, (ISC)^2, OWASP, or InfraGard Members
+
  * $150 - Non-members
+
  
Not a member of an organization? Why not [http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters join our OWASP chapter] for $50! We receive ''40%'' of your membership dues to help chapter activities, and you'll save $100 on the 2010 InfoSec Summit (and [http://www.owasp.org/index.php/Member_Offers other great discounts])!
+
''The professional association of OWASP Foundation Inc., is always free and open to anyone interested in learning more about application security.''  
  
==== Chapter News ====
+
== We want your participation!  ==
  
== We're giving away a 32GB iPod Touch ==
+
To submit educational topics for upcoming meetings, [mailto:columbusowasp(at)gmail.com submit your ideas and slide deck] (if available) using the [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include a speaker BIO. It doesn't have to be formal, we're happy to provide some assistance in organizing your thoughts. You only need an interest and knowledge of your independent research or related software security topic.
  
'''How do you win?''' [http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters Become a member] of our local chapter and/or refer someone who becomes a member. There's no limit on referral entries. [[File:Ipod-touch.jpg‎|right|iPod Touch]]
+
== Sponsorship, too!  ==
  
'''$50''' gets you entered to win, an OWASP member pack with membership card, certificate, OWASP DVD, t-shirt, pen and tote bag ''PLUS'' discounts on local events like the [http://www.infosecsummit.org/ Central Ohio InfoSec Summit], OWASP conferences, and [http://www.owasp.org/index.php/Member_Offers more]. ''40% of your membership dues come directly to your local chapter'' which allows us to do even more great things right here in Columbus.
+
There are myriad opportunities to sponsor the chapter, including meeting space, food, marketing, and monetary donations. We're always looking for assistance. Inquiries regarding chapter or per-meeting sponsorship opportunities can be directed to [mailto:columbusowasp(at)gmail.com the chapter leaders]. As a [http://www.owasp.org/index.php/About_OWASP 501(3)c non-profit professional association] your support and sponsorship of a meeting venue and/or refreshments is tax-deductible and all financial contributions can be made online right now: ''<paypal>Columbus</paypal>''  
  
*'''Entries will be accepted through the end of June with the drawing occurring in early July. Don't forget to fill in Columbus as your local affiliation when you join.'''
+
==== Current Meetings  ====
  
Thanks to [http://www.expesite.com/ Expesite] for sponsorship donation!
+
== Summer 2012 Meeting ==
<p>&nbsp;</p>
+
<p>&nbsp;</p>
+
  
==== Chapter Info ====
+
Jim Manico from White Hat will be in town for our Summer Meeting on September 13th! Save the date. Here's his talk abstract:
  
== Stay in touch with Columbus OWASP ==
+
We cannot hack or firewall our way secure. Application programmers need
 +
to learn to code in a secure fashion if we have any chance of providing
 +
organizations with proper defenses in the current threatscape. This talk
 +
will discuss the 10 most important security-centric computer programming
 +
techniques necessary to build low-risk web-based applications. This talk
 +
is best suited for technical web application development professionals
 +
at any stage of the software development lifecycle.
  
*The first stop to connecting with the community is our [http://lists.owasp.org/mailman/listinfo/owasp-columbus mailing list], feel free to contribute and interact with the list - it's not just for listening!
+
Also, Brent Huston from Microsolved will be speaking, and his abstract is coming soon. Two real heavyweights in the InfoSec industry - hope you can be there!
  
*We're a group on [http://www.linkedin.com/groups?home=&gid=2796025 LinkedIn] as well, please join us. Facebook is coming soon.
+
== Meeting details  ==
  
== Become a voting member ==
+
Our chapter meets ''quarterly''; we're organizing several different event styles in addition to traditional presentations. There will be opportunities for Columbus OWASP members to meet other local security groups through event cross-participation and cooperation. The next quarterly meeting is being planned for August 18th, 2011.
  
We encourage organization and individual supporters of our [http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project ethics & principals] to become a voting <b>[http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters MEMBER]</b>. Please review the [[Chapter Rules]] and the [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP overview], and [mailto:columbusowasp(at)gmail.com contact the chapter leaders] for more information.
+
Feel free to contact us at columbusowasp@gmail.com with any questions.  
  
''The professional association of OWASP Foundation Inc., is always free and open to anyone interested in learning more about application security.''
+
==== Previous Meetings  ====
  
== We want your participation! ==
+
== Spring 2012 Meeting ==
To submit educational topics for upcoming meetings, [mailto:columbusowasp(at)gmail.com submit your ideas and slide deck] (if available) using the [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include a speaker BIO. It doesn't have to be formal, we're happy to provide some assistance in organizing your thoughts. You only need an interest and knowledge of your independent research or related software security topic.
+
  
=== Sponsorship, too! ===
+
The second quarterly meeting for the Columbus chapter of OWASP was held on June 14 in the afternoon, and featured two speakers from the local infosec community. Jason Pubal from OCLC spoke on the topic of web application security - his presentation can be found [https://www.owasp.org/images/d/d3/XSS_Jason_Pubal.pdf here]. Jerod Brennan from Jacadis spoke on defending mobile applications, and his presentation is available [https://www.owasp.org/images/2/23/Defending_Mobile_Applications.pdf here].
There are myriad opportunities to sponsor the chapter, including meeting space, food, marketing, and monetary donations. We're always looking for assistance. Inquiries regarding chapter or per-meeting sponsorship opportunities can be directed to [mailto:columbusowasp(at)gmail.com the chapter leaders]. As a [http://www.owasp.org/index.php/About_OWASP 501(3)c non-profit professional association] your support and sponsorship of a meeting venue and/or refreshments is tax-deductible and all financial contributions can be made online right now: ''<paypal>Columbus</paypal>''
+
  
==== Current Meetings ====
+
== Winter 2012 Meeting ==
  
Our chapter meets ''quarterly''; we're organizing several different event styles in addition to traditional presentations. There will be opportunities for Columbus OWASP members to meet other local security groups through event cross-participation and cooperation.
+
Our winter 2012 meeting was February 15th from 8 AM to noon at the J. Liu in Worthington. This was a joint meeting with ISSA, the first of many collaborations within the thriving Columbus security community for 2012. Here are the details:
  
== Defensible .NET - June 10th, 3PM ==
+
Central Ohio ISSA
 +
February 2012 Chapter meeting
 +
Where: J. Liu Restaurant, Worthington
 +
When: Wednesday February 15th, 2012
 +
Time: 7:45 AM – 11:30 AM for all sessions
 +
Member Cost:
 +
Chapter Meeting - $0
 +
Non Member Cost:
 +
Chapter Meeting - $20
 +
Sponsored By:
 +
Registration:
 +
Event Registration
 +
Schedule:
 +
07:45 – 08:15
 +
Registration with light Breakfast
 +
08:15 – 09:10
  
'''Presented by Jason Montgomery, Sr. Security Specialist, Active Technologies Group, Inc.'''
+
Creating the Business Case, An Essential Guide for the Security Practitioner
  
ASP.NET and the .NET framework have become the preferred foundation underlying enterprise applications. While Microsoft has prioritized integrating security into the ASP.NET framework, attacks at the application layer are dramatically increasing.  How effective are the security controls built into the ASP.NET framework?  Application developers must understand the limitations of the framework and ensure their code is secure.  Focusing on the OWASP top ten, Jason Montgomery will explain the latest defensive techniques specific to the ASP.NET environment.  Jason is Sr. Security Specialist at Active Technologies Group, Inc. (ATGi).  He is a SANS instructor in .NET application security and co-author of the secure coding certification, GSSP.NET.  Jason has spent the past five years guiding software security practices at the Department of Defense, and currently leads ATGi’s secure software development and assessment practice.
+
All too often, legitimate and critically required security initiatives fail to reach fruition. Oftentimes, this is due to a lack of communication and understanding between the security practitioner and the business owners. Jack Jones, SR VP of IT Risk, Huntington Bank, will describe in detail how practitioners can achieve greater success by clearly linking an improved security posture to the success of the enterprise.
  
''Location coming soon!''
+
Jack Jones, SR VP of IT Risk – CISSP, CISA, CISM
 +
09:25 – 10:20
 +
Open Source Security Tools Your Team Is Not Using
  
==== Previous Meetings ====
+
The second a web application is published, your internal infrastructure is instantly exposed to vulnerabilities network-level protection can’t defend. Now that you’ve benefitted from our previous sessions information share of OWASP and the Top 10, we will dive into actual tactical mitigation tools available to help detect and mitigate the most common security vulnerabilities.
=== 2010 Q1 Meeting ===
+
 
 +
From WebGoat and WebScarab to VulnXML – OWASP has many free projects and web application security assessment tools, but which is right for your situation? The combination of Bill Sempf’s knowledge, Aaron Ansari’s practical application, tools and sample code (.NET) is just what you need to keep those hackers at bay.
 +
 
 +
Bill Sempf – Administrative Director, Locksport Intl / Director OWASP
 +
Aaron Ansari – Regional Director, PhishMe / Director OWASP
 +
10:35 – 11:30
 +
Identity & Access Management
 +
 
 +
At JPMorgan Chase Bank the challenge of balancing business flexibility and regulatory compliance is paramount. In the Retail lines of business: Consumer and Business Banking, Chase Mortgage Banking, Chase Auto Financing, and Chase Student Lending, as well as the supporting technology teams, compliance controls heavily leverage the Identity & Access Management processes and tools. The IAM team is charged with providing governance and monitoring of the banks access controls across nearly 1000 applications and thousands of infrastructure assets with 1.4M distinct levels of access for 2.1M non distinct users. The only viable solution to effectively manage this volume of data is broad integration, automation, and a strategic push to on board all assets to the IAM tool suite.
 +
 
 +
Kwame Fields – CISSP
 +
 
 +
== Q4 Meeting December 1, 2011 at 1PM ==
 +
 
 +
On December 1, 2011, from 1PM to 4PM at the Conference Center of BMW Financial, the Columbus OWASP chapter presented it's Third Quarter Meeting. 
 +
 
 +
Dan Houser was our first speaker.  Dan is a Senior Security & Identity Architect for a Global 100 healthcare organization, based in Columbus, Ohio. In addition to providing Information Security Architecture and Risk Management subject matter expertise, he drives the organization's Identity and Access Management strategy. Mr. Houser is a published author, with primary research and many papers in security, holds the CISSP-ISSAP, CISM, CISA and CGEIT designations, and is an often sought after instructor and speaker.
 +
 
 +
Dan presented a introduction to basic cryptography for developers.  Dan's slides can be downloaded here: [[Media: Crypto_In_Real_World_1Dec2011.ppt]]
 +
 
 +
Mark Feferman was our second speaker.  Mark has over 18 years of IT security experience beginning as one of the original four software developers of the BindView suite of products.  As a career software developer, who later became involved in IT security, Mark’s role as an application security professional is focused on strategic initiatives, like secure coding standards, threat modeling, and the integration of static code analysis into the SDLC.  Mark currently services as the practice director for Application Security at FishNet Security.  He, along with his 18 direct reports, located around the US, perform the advisory services for the practice.
 +
 
 +
Mark presented: Application Security…it’s not just a tactical effort…it’s both a Strategic and Tactical affair. This will include The State of Application Security: The Strategic, the Tactical, and the Do-Nothings, Consultant Perspectives: Application Security in the PCI World, and Secure SDLC, Where to Start, What are the essentials.
 +
 
 +
== Q3 Meeting August 18, 2011 at 1PM ==
 +
 
 +
On August 18, 2011, from 1PM to 4PM at the Conference Center of BMW Financial. Two speakers were featured:
 +
 
 +
Speaker: '''Brent Huston''' CEO & Security Evangelist of MicroSolved, Inc. (MSI)
 +
 
 +
This presentation will discuss PHP and ASP malware, discovery techniques, how the attackers are staging and processing malware-based attacks, as well as the relevance of anti-virus against these forms of malware. Drawn from real world attacks and compromises, examples will be displayed and discussed. Take aways will include the architecture of attacker cells, their targeting and use of compromised hosts and insight into how simple, basic controls can assist us in fighting these forms of assault.
 +
 
 +
Speaker: '''Kevin Wall''' - ESAPI Committer / Owner at OWASP & Staff Security Engineer at CenturyLink
 +
 
 +
[https://www.owasp.org/index.php/File:OWASP_ESAPI-2011.ppt Kevin's Presentation and Materials]
 +
 
 +
OWASP Enterprise Security API (ESAPI) is one of the flagship projects at OWASP, but as of yet, not many application development teams have adopted it. This presentation will provide a brief history and overview of ESAPI, including its goals and all its language implementations, before taking a deeper dive into ESAPI for Java.
 +
 
 +
The ESAPI for Java portion will discuss major changes from ESAPI 1.4 to ESAPI 2.0 and how the various ESAPI 2.0 security controls map as mitigations for the OWASP Top Ten. We will also examine the relative maturity of each security control.
 +
 
 +
This will be followed by a few examples of how to use ESAPI, including an in-depth one of using ESAPI's symmetric encryption. Finally, we will briefly describe how the OWASP AppSensor project
 +
has the ESAPI's Intrustion Detection mechanism to provid an powerful intrustion detection system at the application layer and describe some of the advantanges of this versus an more
 +
traditional IDS.
 +
 
 +
== Q2 Meeting - June 10th, 1PM - Defensible .NET  ==
 +
 
 +
'''Presented by Jason Montgomery, Sr. Security Specialist, Active Technologies Group, Inc.'''
 +
 
 +
ASP.NET and the .NET framework have become the preferred foundation underlying enterprise applications. While Microsoft has prioritized integrating security into the ASP.NET framework, attacks at the application layer are dramatically increasing. How effective are the security controls built into the ASP.NET framework? Application developers must understand the limitations of the framework and ensure their code is secure. Focusing on the OWASP top ten, Jason Montgomery will explain the latest defensive techniques specific to the ASP.NET environment. Jason is Sr. Security Specialist at Active Technologies Group, Inc. (ATGi). He is a SANS instructor in .NET application security and co-author of the secure coding certification, GSSP.NET. Jason has spent the past five years guiding software security practices at the Department of Defense, and currently leads ATGi’s secure software development and assessment practice.
 +
 
 +
== 3rd Annual Central Ohio Infosec Summit  ==
 +
 
 +
The goal of this event is to educate regional Information Security professionals and support collaboration by bringing leading speakers in the information security field together to educate the community on the latest industry trends and issues.
 +
 
 +
This Information Security Conference will provide information security professionals with the most up-to-date information, tools, trends, legislative information, products, services, and strategies for addressing information security issues. The conference will focus on key topics related to information security with presentations provided by recognized experts and exhibits by some of the nation’s leading organizations.
 +
 
 +
== 2010 Q1 Meeting ==
  
 
*'''PHP Security''' presented by Jon Canady, Web Application Developer, [http://www.innova-partners.com/ Innova Partners], March 23rd, 2010
 
*'''PHP Security''' presented by Jon Canady, Web Application Developer, [http://www.innova-partners.com/ Innova Partners], March 23rd, 2010
  
'''Meeting Summary:''' PHP is a widely used, general-purpose scripting language, originally designed to produce dynamic web pages. In 2007, The PHP Group reported it was utilized on over 20 million websites and 1 million web servers. In 2008, the National Vulnerability Database claimed PHP accounted for 35% of software vulnerabilities, with nearly all caused by poor programming practices. Every PHP developer, hoster, and security professional should understand the primary attack vectors being used by attackers against PHP applications. During this OWASP meeting we dived deep into PHP security - specifically the OWASP Top 10 in the context of PHP.
+
'''Meeting Summary:''' PHP is a widely used, general-purpose scripting language, originally designed to produce dynamic web pages. In 2007, The PHP Group reported it was utilized on over 20 million websites and 1 million web servers. In 2008, the National Vulnerability Database claimed PHP accounted for 35% of software vulnerabilities, with nearly all caused by poor programming practices. Every PHP developer, hoster, and security professional should understand the primary attack vectors being used by attackers against PHP applications. During this OWASP meeting we dived deep into PHP security - specifically the OWASP Top 10 in the context of PHP.  
  
In addition to the presentation, chapter leadership changes were announced as well as the new leadership's plans for increasing the visibility and participation of the chapter.
+
In addition to the presentation, chapter leadership changes were announced as well as the new leadership's plans for increasing the visibility and participation of the chapter.  
  
 
The Columbus OWASP Chapter leadership would like to thank [http://www.bmwfs.com/ BMW Financial Services] for hosting this event and [http://www.innova-partners.com/ Innova Partners] for providing lunch.  
 
The Columbus OWASP Chapter leadership would like to thank [http://www.bmwfs.com/ BMW Financial Services] for hosting this event and [http://www.innova-partners.com/ Innova Partners] for providing lunch.  
  
'''Presentation slide deck: [[Media:OWASP_Q12010_PHP.pdf|OWASP_Q12010_PHP]]''' (pdf, 4.5M)
+
'''Presentation slide deck: [[Media:OWASP_Q12010_PHP.pdf|OWASP_Q12010_PHP]]''' (pdf, 4.5M)  
 +
 
 +
==== Columbus OWASP Chapter Leaders  ====
 +
 
 +
Please feel free to contact the chapter leaders at any time.
 +
 
 +
*[mailto:Aaron.Ansari(at)bmwfs.com Aaron Ansari]
 +
*[mailto:cmatthews(at)microsolved.com Constance Matthews]
 +
*[mailto:bill(at)pointweb.net Bill Sempf]
 +
 
 +
You can also reach the chapter leadership at columbusowasp@gmail.com.
 +
 
 +
==== Other Local InfoSec Resources  ====
  
==== Columbus OWASP Chapter Leaders ====
+
*[http://infragard.columbus.oh.us/ Central Ohio InfraGard]  
Chapter leaders are [mailto:Aaron.Ansari(at)bmwfs.com Aaron Ansari], [mailto:gcook(at)expesite.com Geoff Cook], [mailto:owasp(at)cgsvo.org Chris Green] & [mailto:cmatthews(at)microsolved.com Constance Matthews].
+
*[http://www.isaca-centralohio.org/ Central Ohio ISACA]  
 +
*[http://centralohioissa.org/ Central Ohio ISSA]  
 +
*[http://thesecuritymba.org/ Central Ohio (ISC)2 / Security MBA ]
 +
__NOTOC__ <headertabs />
  
==== Other Local InfoSec Resources ====
+
[[Category:OWASP_Chapter]] [[Category:Ohio]]
*[http://infragard.columbus.oh.us/ Central Ohio InfraGard]
+
*[http://www.isaca-centralohio.org/ Central Ohio ISACA]
+
*[http://centralohioissa.org/ Central Ohio ISSA]
+
*[http://thesecuritymba.org/ Security MBA (Masters of Beer Appreciation)]
+
__NOTOC__
+
<headertabs/>
+
[[Category:Ohio]]
+

Revision as of 13:56, 19 June 2012


Local News

Summer 2012 Meeting

The third quarterly meeting for the Columbus chapter of OWASP will be held on September 13th at 1 in the afternoon, and will feature two powerhouses from the national InfoSec stage. Jim Manico from White Hat security will be speaking on the Top 10 Web Defenses, and Brent Huston from Microsolved will be speaking on malware analysis. The meeting will be at Improving Enterprise Ohio office (4449 Easton Way, Suite 100, Columbus, OH 43219 614-573-7405). Hope to see everyone there. Register here. This is not one to be missed, people.

OWASP Membership

At the Q3 meeting, there were a lot of questions about membership. Membership supports the many projects that OWASP in involved in, including ESAPI. Learn more about membership here. Remember to tell them you are interested in membership in the Columbus chapter.

Chapter Info

Stay in touch with Columbus OWASP

  • The first stop to connecting with the community is our mailing list, feel free to contribute and interact with the list - it's not just for listening!
  • We're a group on LinkedIn as well, please join us.

Become a voting member

We encourage organization and individual supporters of our ethics & principals to become a voting MEMBER. Please review the Chapter Rules and the OWASP overview, and contact the chapter leaders for more information.

The professional association of OWASP Foundation Inc., is always free and open to anyone interested in learning more about application security.

We want your participation!

To submit educational topics for upcoming meetings, submit your ideas and slide deck (if available) using the OWASP Template and include a speaker BIO. It doesn't have to be formal, we're happy to provide some assistance in organizing your thoughts. You only need an interest and knowledge of your independent research or related software security topic.

Sponsorship, too!

There are myriad opportunities to sponsor the chapter, including meeting space, food, marketing, and monetary donations. We're always looking for assistance. Inquiries regarding chapter or per-meeting sponsorship opportunities can be directed to the chapter leaders. As a 501(3)c non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible and all financial contributions can be made online right now:

funds to OWASP earmarked for Columbus.

Current Meetings

Summer 2012 Meeting

Jim Manico from White Hat will be in town for our Summer Meeting on September 13th! Save the date. Here's his talk abstract:

We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. This talk is best suited for technical web application development professionals at any stage of the software development lifecycle.

Also, Brent Huston from Microsolved will be speaking, and his abstract is coming soon. Two real heavyweights in the InfoSec industry - hope you can be there!

Meeting details

Our chapter meets quarterly; we're organizing several different event styles in addition to traditional presentations. There will be opportunities for Columbus OWASP members to meet other local security groups through event cross-participation and cooperation. The next quarterly meeting is being planned for August 18th, 2011.

Feel free to contact us at columbusowasp@gmail.com with any questions.

Previous Meetings

Spring 2012 Meeting

The second quarterly meeting for the Columbus chapter of OWASP was held on June 14 in the afternoon, and featured two speakers from the local infosec community. Jason Pubal from OCLC spoke on the topic of web application security - his presentation can be found here. Jerod Brennan from Jacadis spoke on defending mobile applications, and his presentation is available here.

Winter 2012 Meeting

Our winter 2012 meeting was February 15th from 8 AM to noon at the J. Liu in Worthington. This was a joint meeting with ISSA, the first of many collaborations within the thriving Columbus security community for 2012. Here are the details:

Central Ohio ISSA February 2012 Chapter meeting Where: J. Liu Restaurant, Worthington When: Wednesday February 15th, 2012 Time: 7:45 AM – 11:30 AM for all sessions Member Cost: Chapter Meeting - $0 Non Member Cost: Chapter Meeting - $20 Sponsored By: Registration: Event Registration Schedule: 07:45 – 08:15 Registration with light Breakfast 08:15 – 09:10

Creating the Business Case, An Essential Guide for the Security Practitioner

All too often, legitimate and critically required security initiatives fail to reach fruition. Oftentimes, this is due to a lack of communication and understanding between the security practitioner and the business owners. Jack Jones, SR VP of IT Risk, Huntington Bank, will describe in detail how practitioners can achieve greater success by clearly linking an improved security posture to the success of the enterprise.

Jack Jones, SR VP of IT Risk – CISSP, CISA, CISM 09:25 – 10:20 Open Source Security Tools Your Team Is Not Using

The second a web application is published, your internal infrastructure is instantly exposed to vulnerabilities network-level protection can’t defend. Now that you’ve benefitted from our previous sessions information share of OWASP and the Top 10, we will dive into actual tactical mitigation tools available to help detect and mitigate the most common security vulnerabilities.

From WebGoat and WebScarab to VulnXML – OWASP has many free projects and web application security assessment tools, but which is right for your situation? The combination of Bill Sempf’s knowledge, Aaron Ansari’s practical application, tools and sample code (.NET) is just what you need to keep those hackers at bay.

Bill Sempf – Administrative Director, Locksport Intl / Director OWASP Aaron Ansari – Regional Director, PhishMe / Director OWASP 10:35 – 11:30 Identity & Access Management

At JPMorgan Chase Bank the challenge of balancing business flexibility and regulatory compliance is paramount. In the Retail lines of business: Consumer and Business Banking, Chase Mortgage Banking, Chase Auto Financing, and Chase Student Lending, as well as the supporting technology teams, compliance controls heavily leverage the Identity & Access Management processes and tools. The IAM team is charged with providing governance and monitoring of the banks access controls across nearly 1000 applications and thousands of infrastructure assets with 1.4M distinct levels of access for 2.1M non distinct users. The only viable solution to effectively manage this volume of data is broad integration, automation, and a strategic push to on board all assets to the IAM tool suite.

Kwame Fields – CISSP

Q4 Meeting December 1, 2011 at 1PM

On December 1, 2011, from 1PM to 4PM at the Conference Center of BMW Financial, the Columbus OWASP chapter presented it's Third Quarter Meeting.

Dan Houser was our first speaker. Dan is a Senior Security & Identity Architect for a Global 100 healthcare organization, based in Columbus, Ohio. In addition to providing Information Security Architecture and Risk Management subject matter expertise, he drives the organization's Identity and Access Management strategy. Mr. Houser is a published author, with primary research and many papers in security, holds the CISSP-ISSAP, CISM, CISA and CGEIT designations, and is an often sought after instructor and speaker.

Dan presented a introduction to basic cryptography for developers. Dan's slides can be downloaded here: Media: Crypto_In_Real_World_1Dec2011.ppt

Mark Feferman was our second speaker. Mark has over 18 years of IT security experience beginning as one of the original four software developers of the BindView suite of products. As a career software developer, who later became involved in IT security, Mark’s role as an application security professional is focused on strategic initiatives, like secure coding standards, threat modeling, and the integration of static code analysis into the SDLC. Mark currently services as the practice director for Application Security at FishNet Security. He, along with his 18 direct reports, located around the US, perform the advisory services for the practice.

Mark presented: Application Security…it’s not just a tactical effort…it’s both a Strategic and Tactical affair. This will include The State of Application Security: The Strategic, the Tactical, and the Do-Nothings, Consultant Perspectives: Application Security in the PCI World, and Secure SDLC, Where to Start, What are the essentials.

Q3 Meeting August 18, 2011 at 1PM

On August 18, 2011, from 1PM to 4PM at the Conference Center of BMW Financial. Two speakers were featured:

Speaker: Brent Huston CEO & Security Evangelist of MicroSolved, Inc. (MSI)

This presentation will discuss PHP and ASP malware, discovery techniques, how the attackers are staging and processing malware-based attacks, as well as the relevance of anti-virus against these forms of malware. Drawn from real world attacks and compromises, examples will be displayed and discussed. Take aways will include the architecture of attacker cells, their targeting and use of compromised hosts and insight into how simple, basic controls can assist us in fighting these forms of assault.

Speaker: Kevin Wall - ESAPI Committer / Owner at OWASP & Staff Security Engineer at CenturyLink

Kevin's Presentation and Materials

OWASP Enterprise Security API (ESAPI) is one of the flagship projects at OWASP, but as of yet, not many application development teams have adopted it. This presentation will provide a brief history and overview of ESAPI, including its goals and all its language implementations, before taking a deeper dive into ESAPI for Java.

The ESAPI for Java portion will discuss major changes from ESAPI 1.4 to ESAPI 2.0 and how the various ESAPI 2.0 security controls map as mitigations for the OWASP Top Ten. We will also examine the relative maturity of each security control.

This will be followed by a few examples of how to use ESAPI, including an in-depth one of using ESAPI's symmetric encryption. Finally, we will briefly describe how the OWASP AppSensor project has the ESAPI's Intrustion Detection mechanism to provid an powerful intrustion detection system at the application layer and describe some of the advantanges of this versus an more traditional IDS.

Q2 Meeting - June 10th, 1PM - Defensible .NET

Presented by Jason Montgomery, Sr. Security Specialist, Active Technologies Group, Inc.

ASP.NET and the .NET framework have become the preferred foundation underlying enterprise applications. While Microsoft has prioritized integrating security into the ASP.NET framework, attacks at the application layer are dramatically increasing. How effective are the security controls built into the ASP.NET framework? Application developers must understand the limitations of the framework and ensure their code is secure. Focusing on the OWASP top ten, Jason Montgomery will explain the latest defensive techniques specific to the ASP.NET environment. Jason is Sr. Security Specialist at Active Technologies Group, Inc. (ATGi). He is a SANS instructor in .NET application security and co-author of the secure coding certification, GSSP.NET. Jason has spent the past five years guiding software security practices at the Department of Defense, and currently leads ATGi’s secure software development and assessment practice.

3rd Annual Central Ohio Infosec Summit

The goal of this event is to educate regional Information Security professionals and support collaboration by bringing leading speakers in the information security field together to educate the community on the latest industry trends and issues.

This Information Security Conference will provide information security professionals with the most up-to-date information, tools, trends, legislative information, products, services, and strategies for addressing information security issues. The conference will focus on key topics related to information security with presentations provided by recognized experts and exhibits by some of the nation’s leading organizations.

2010 Q1 Meeting

  • PHP Security presented by Jon Canady, Web Application Developer, Innova Partners, March 23rd, 2010

Meeting Summary: PHP is a widely used, general-purpose scripting language, originally designed to produce dynamic web pages. In 2007, The PHP Group reported it was utilized on over 20 million websites and 1 million web servers. In 2008, the National Vulnerability Database claimed PHP accounted for 35% of software vulnerabilities, with nearly all caused by poor programming practices. Every PHP developer, hoster, and security professional should understand the primary attack vectors being used by attackers against PHP applications. During this OWASP meeting we dived deep into PHP security - specifically the OWASP Top 10 in the context of PHP.

In addition to the presentation, chapter leadership changes were announced as well as the new leadership's plans for increasing the visibility and participation of the chapter.

The Columbus OWASP Chapter leadership would like to thank BMW Financial Services for hosting this event and Innova Partners for providing lunch.

Presentation slide deck: OWASP_Q12010_PHP (pdf, 4.5M)

Columbus OWASP Chapter Leaders

Please feel free to contact the chapter leaders at any time.

You can also reach the chapter leadership at columbusowasp@gmail.com.

Other Local InfoSec Resources