OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
Note we return to Telus Plaza for the February meeting.
Our chapter's next meeting will take place Tuesday, February 27, 2007 at 6:00 PM at the Telus Plaza North Tower. Please meet us in the building's lobby before 6:00 so that we can escort you to the boardroom. The meeting will be over by 7:15. This map guides you to Telus Plaza North.
The February topic will be "Building Defensible Web App Architectures", by Jason Meltzer of Strange Research, http://www.strangeresearch.com.
Web applications have become the most significantly exposed, and vulnerable, software systems on an organization's network. Thousands of lines of custom application code lovingly interfacing with a pile of third-party middleware that's herding data to and from what is likely an installation of a major database, and all of this is supporting critical business processes handling yours, and others, sensitive data. Hopefully you've spent a little time and some honest effort on reducing security defects in your applications (I see each of your devs has the OWASP Top 10 taped to their cubicle wall) and your network guys are seasoned warriors, so everything is solid. Now, what happens when, not if, you have an incident involving your web app?
This talk is going to bring the concepts surrounding building a defensible network into the realm of designing web application architectures. We will be doing some drawing, and there will be network devices in our diagrams. We'll discussed defending deployed web applications, how they are different and what issues that raises... We'll discuss the implications of such things as when the OWASP guide say, "By default, no unencrypted data should transit the network" and we'll discuss how we might be able to get to a position where we can start to think about having the ability to effectively respond to a web app incident.
Previous meetings covered:
- OWASP's Top Ten Project
- OWASP's WebGoat insecure web application
- Cross Site Scripting Attacks (Yegor's slideshow)
- Pub Night(!); discussed strategies for secure use of personal web applications