Difference between revisions of "Long Island"

From OWASP
Jump to: navigation, search
(June 2014)
 
(41 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}  
 
{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}  
  
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']
+
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] 
 +
 
 +
 
 +
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']
  
  
 
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}  
 
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}  
 +
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]
  
 
__NOTOC__  
 
__NOTOC__  
Line 11: Line 15:
  
 
== '''Next Meetings''' ==
 
== '''Next Meetings''' ==
 +
===''' June 2014 '''===
 +
* '''Date & Time:''' Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)
 +
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
 +
* '''Register:''' Free food and drinks will be provided. RSVP required. [https://www.eventbrite.com/e/owasp-long-island-ny-meeting-topic-heartbleed-tickets-11827846407?ref=ebtnebregn Click Here]
 +
* '''Topics:''' Heartbleed
 +
* '''Heartbleed Abstract:'''
 +
:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
 +
:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<br>
 +
:Resources for the discussion:
 +
::[https://www.owasp.org/index.php/Heartbleed_Bug OWASP / Heartbleed_Bug]<br>
 +
:Other External Resources:
 +
::[http://heartbleed.com/ http://heartbleed.com/]
 +
* '''About the Speaker:'''
 +
:Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the [http://www.meetup.com/OWASP-New-Jersey/ New Jersey Chapter] after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating [http://www.meetup.com/OWASP-NYC OWASP NYC Metro Chapter]. Tom was appointed to the Global Board of Directors in 2007 by his peers and was [https://www.owasp.org/index.php/Membership/2012_Election#2012_Board_Election_RESULTS re-elected] by the membership for another term.
  
<h4><i>The 12/13/2012 meeting room has changed to room 204 on the second floor of Hagedorn Hall of Enterprise.</i></h4>
+
:During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others.  
 
+
'''Dr. Kees Leune - Threat Modeling'''<br/><br/>
+
RSVP Requested  [http://www.eventbrite.com/event/4962223143 http://www.owasp.org/images/7/7f/Register.gif]
+
 
+
<ul>
+
<li><strong>12/13/2012</strong></li>
+
*Time: 6:30pm - 9:00 pm
+
* Location: '''Room 204 on the second floor of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions:  [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map]  |  [http://www.adelphi.edu/visitors/campus.php Campus Map].
+
 
+
 
+
'''About the Speaker''' -
+
 
+
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
+
 
+
*Registration Details:  The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br>
+
  
 +
:Tom is also the founder of [http://www.proactiverisk.com/ proactiveRISK]
 +
<br>
 +
----
 
----
 
----
  
 
'''Call For Topics & Speakers''' <br><br>
 
'''Call For Topics & Speakers''' <br><br>
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].
+
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].
  
 
<br>  
 
<br>  
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center>
+
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members_and_Contacts Long Island Board Member].</center>
  
=Calendar=
+
=Upcoming Meetings Schedule=
 +
''The information on this page is subject to change, please check back frequently for updates''
  
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br>
+
===''' August 2014 '''===
 +
* '''Date & Time:''' Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' Compliance
  
----
+
===''' October 2014 '''===
 +
* '''Date & Time:''' Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' OWASP Dependency Checking / Sonatype
  
----
+
===''' January 2015 '''===
 +
* '''Date & Time:''' Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' TBA
  
 +
===''' March 2015 '''===
 +
* '''Date & Time:''' Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' Mobile application
  
=Past Meetings=
+
===''' May 2015 '''===
 +
* '''Date & Time:''' Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' TBA
  
==''' September Meeting '''==
+
===''' July 2015 '''===
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/>
+
* '''Date & Time:''' Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' TBA
  
<ul>
+
===''' Septmeber 2015 '''===
* Date: Monday, September 24, 2012
+
* '''Date & Time:''' Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)
* Time: 6:30pm - 9:00 pm
+
* '''Topics:''' TBA
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi
+
</ul>
+
  
 +
===''' November 2015 '''===
 +
* '''Date & Time:''' Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)
 +
* '''Topics:''' TBA
  
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming
 
  
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way
+
=Past Meetings=
secure. Application programmers need to learn to code in a secure
+
==''' April 2014 '''==
fashion if we have any chance of providing organizations with proper
+
* '''Date & Time:''' Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)
defenses in the current threatscape. This talk will discuss the 10
+
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
most important security-centric computer programming techniques
+
* '''Topics:''' Brainstorming session for organizing chapter activities and requesting volunteers for new board members.
necessary to build low-risk web-based applications.
+
* '''Abstract:'''
 +
:This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.
 +
:A simple dinner will be provided.
 +
<br>
 +
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br>
 +
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.
  
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat
+
<br>
Security, a web security firm.  Jim is a participant and project
+
==''' April 2013 '''==
manager of the OWASP Developer Cheatsheet series. He is also the
+
* '''Date & Time:''' Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)
producer and host of the OWASP Podcast Series.
+
* '''Location:''' TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
 +
* '''Topics:''' RailsGoat & GoatDroid
  
 +
* '''RailsGoat Abstract:'''
 +
:While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.
  
=='''May Meeting'''==
+
* '''About the Speaker:'''
 +
:Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.
 +
<br>
 +
----
 +
<br>
 +
* '''GoatDroid Abstract:'''
 +
:Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.
  
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br>
+
* '''About the Speaker:'''
 +
:Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.
  
* Date: Thursday, May 10, 2012
+
<br>
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions:  [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map]  |  [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.
+
==''' December 2012 '''==
  
* Time: 7:00pm-9:30pm
+
* '''Date & Time:''' Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)
*''Free pizza and beverage will be provided.''
+
* '''Location:'''  Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University
 +
* '''Topics:''' Thread Modeling
 +
* '''About the Speaker:'''
 +
:Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
  
 +
<br>
 +
==''' September 2012 '''==
 +
* '''Date & Time:''' Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)
 +
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi
 +
* '''Topics:''' Top 10 Web Defenses through Secure Application Programming
 +
* '''Abstract:'''
 +
:Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
 +
* '''About the Speaker:'''
 +
:Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm.  Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.
 +
* '''Meeting Replay Video:'''  http://www.youtube.com/watch?v=r12yiXnagbY&sns=em
  
 
<br>
 
<br>
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br>
+
==''' May 2012 '''==
 +
* '''Date & Time:''' Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)
 +
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
 +
* '''Topics:''' OWASP Top 10 Mobile Risks / Practical Android Security
 +
* '''Abstract:'''
 +
:Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.
 +
:The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.
 +
::Topics:
 +
:::*Mobile Application Security
 +
:::*OWASP GoatDroid
 +
:::*OWASP MobiSec
 +
* '''About the Speaker:'''
 +
:Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.
 +
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]
  
* Meeting Agenda:
 
 
'''Practical Android Security'''
 
 
Abstract:
 
 
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.
 
 
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.
 
 
 
Topics:
 
*Mobile Application Security
 
*OWASP GoatDroid
 
*OWASP MobiSec
 
 
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]
 
 
<br>
 
<br>
<hr>
+
==''' February 2012 '''==
 
+
* '''Date & Time:''' Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)
'''About the Speaker''' -
+
* '''Location:''' IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
 
+
* '''Topics:''' Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.
+
* '''Abstract:'''  
 
+
:Topics:
 
+
::*Overview of BackTrack
=='''February Meeting'''==
+
::*Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)
 
+
::*Overview of the lab challenge (covers multiple owasp top 10 vulns)
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities.  Please find the details below''' <br> <br>
+
:'''''Laptops are needed if you wish to participate in the lab exercise!'''''
 
+
* '''About the Speaker:'''
* Date: Thursday, February 16, 2012
+
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.  
+
* Time: 7:00pm-9:30pm
+
 
+
RSVP Requested  [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]
+
 
+
<br><br>
+
*Registration Details:  This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people.  Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br>
+
 
+
* Meeting Agenda:
+
 
+
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''
+
 
+
Topics:
+
**Overview of BackTrack
+
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)
+
**Overview of the lab challenge (covers multiple owasp top 10 vulns)
+
 
+
'''''Laptops are needed if you wish to participate in the lab exercise!'''''
+
 
+
 
+
'''About the Speaker''' -
+
 
+
 
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
 
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
  
 
+
<br>
 
+
==''' September 2011 '''==
=='''November'''==
+
* '''Date & Time:''' Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)
 
+
* '''Location:''' University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000
* Date: Thursday, November 17, 2012
+
* '''Topics:''' Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
+
* '''Abstract:'''
* Time: 7:00pm-9:30pm
+
:'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' Helen will discuss one of the most widespread Web application Vulnerabilities.  How can an application be attacked and how to protect yourself.
 
+
* '''About the Speaker:'''
<br><br>
+
:Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company.  Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.
*Registration Details:  This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people.  Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br>
+
<br>
 
+
-----
* Meeting Agenda:
+
<br>
 
+
* '''Abstract:'''
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''
+
:Topics:
 
+
::*Recent Attack on Infraguard Website.
Topics:
+
::*Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?
**Overview of BackTrack
+
::*LulzSec, Anonymous, A-Team - Motivations for attacks?  How do small-medium size businesses protect themselves from this?  Insurance, increased IT budgets?
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)
+
* '''About the Speaker:'''
**Overview of the lab challenge (covers multiple owasp top 10 vulns)
+
:Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc.  He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure.  
 
+
'''''Laptops are needed if you wish to participate in the lab exercise!'''''
+
 
+
 
+
'''About the Speaker''' -
+
 
+
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
+
 
+
 
+
 
+
 
+
=='''September'''==
+
*Date: Thursday, September 22, 2011  
+
*Time: 6:30pm - 9:30pm
+
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000  
+
*Topics & Speakers: <br>
+
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br>
+
Helen will discuss one of the most widespread Web application Vulnerabilities.  How can an application be attacked and how to protect yourself.
+
  
 
<br>
 
<br>
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company.  Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.
+
==''' May 2011 '''==
 
+
 
+
 
+
'''Round Table Discussions Coordinated by Ryan Behan:''' <br>
+
Topics -
+
Recent Attack on Infraguard Website.
+
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?
+
LulzSec, Anonymous, A-Team - Motivations for attacks?  How do small-medium size businesses protect themselves from this?  Insurance, increased IT budgets?
+
<br><br>
+
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc.  He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure.
+
  
  
Line 204: Line 197:
 
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.
 
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.
 
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br>
 
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br>
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors.  He has spoken widely at conferences throughout the United States and internationally.  He has also  published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br>
+
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors.  He has spoken widely at conferences throughout the United States and internationally.  He has also  published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.
  
 +
<br>
 +
==''' March 2011 '''==
 +
* '''Date & Time:''' Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)
 +
* '''Location:'''  2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753
 +
* '''Topics:''' Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro
 +
* '''Abstract:'''
 +
:The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.
 +
* '''About the Speaker:'''
 +
:Rajendra Umadas, OWASP Member
 +
<br>
 +
----
 +
<br>
 +
*'''Abstract:'''
 +
:In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.
  
 +
:In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.
 +
*'''About the Speaker:'''
 +
:[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member
 +
<br>
 +
----
 +
<br>
 +
*'''Abstract:'''
 +
:[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
  
 +
:In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.
 +
*'''About the Speaker:'''
 +
:[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member
  
'''March''' <br>
 
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br>
 
  
'''Intro to the OWASP Mobile Project'''
+
=Chapter Board Members and Contacts=
  
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.  
+
* [mailto:heleng@owasp.org Helen Gao] - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.
  
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member
 
 
'''The Exploit Intelligence Project'''
 
 
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.
 
 
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.
 
 
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br>
 
 
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
 
 
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.
 
 
<br>
 
 
''Free pizza and beverage will be provided. After event networking will be held at a local bar.''
 
 
 
=Chapter Board Members and Contacts=
 
  
*[mailto:heleng@owasp.org Helen Gao, CISSP]
+
* Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC).  Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.
*[mailto:ryan.behan@owasp.org Ryan C Behan]
+
  
  
 +
* Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.
  
 
<headertabs />  
 
<headertabs />  

Latest revision as of 12:27, 2 June 2014

OWASP Long Island

Welcome to the Long Island chapter homepage.
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Long Island chapter is a proud sponsor of Women in AppSec 2013


Become a Member NOW



Educational Supporter: AdelphiLogo-150x64.png       
Corporate Silver Supporter: Secdec-logo division.png


[edit]

Next Meetings

June 2014

  • Date & Time: Wednesday, June 18, 2014 from 6:30 PM to 9:30 PM (ET)
  • Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
  • Register: Free food and drinks will be provided. RSVP required. Click Here
  • Topics: Heartbleed
  • Heartbleed Abstract:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Resources for the discussion:
OWASP / Heartbleed_Bug
Other External Resources:
http://heartbleed.com/
  • About the Speaker:
Tom Brennan has been a volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating OWASP NYC Metro Chapter. Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership for another term.
During his leadership within the OWASP Foundation, he has led many global and local initiatives for OWASP. Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others.
Tom is also the founder of proactiveRISK




Call For Topics & Speakers

If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a Long Island Board Member.


If you join our mailing list, then you will receive details of the meeting as soon as they are finalized.
To be a co-sponsor for this or a future meeting consider annual chapter sponsorship
If you can host an upcoming meeting please contact a Long Island Board Member.

The information on this page is subject to change, please check back frequently for updates

August 2014

  • Date & Time: Wednesday, August 20, 2014 from 6:30 PM to 9:30 PM (ET)
  • Topics: Compliance

October 2014

  • Date & Time: Wednesday, October 15, 2014 from 6:30 PM to 9:30 PM (ET)
  • Topics: OWASP Dependency Checking / Sonatype

January 2015

  • Date & Time: Wednesday, January 21, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: TBA

March 2015

  • Date & Time: Wednesday, March 18, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: Mobile application

May 2015

  • Date & Time: Wednesday, May 20, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: TBA

July 2015

  • Date & Time: Wednesday, July 15, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: TBA

Septmeber 2015

  • Date & Time: Wednesday, September 16, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: TBA

November 2015

  • Date & Time: Wednesday, November 18, 2015 from 6:30 PM to 9:30 PM (ET)
  • Topics: TBA


April 2014

  • Date & Time: Monday, April 28, 2014 from 7:00 PM to 9:30 PM (ET)
  • Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
  • Topics: Brainstorming session for organizing chapter activities and requesting volunteers for new board members.
  • Abstract:
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.
A simple dinner will be provided.


Secure Decisions, a division of Applied Visions Inc. is a sponsor of this meeting.
TIBCO Software Inc. is a sponsor of this meeting.


April 2013

  • Date & Time: Thursday, April 25, 2013 from 6:30 PM to 9:30 PM (ET)
  • Location: TIBCO Software Inc. offices 200 Garden City Plaza #220 Garden City, NY 11530
  • Topics: RailsGoat & GoatDroid
  • RailsGoat Abstract:
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired within the last few months have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails as well as the solutions for remediation. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops.
  • About the Speaker:
Ken Johnson is the former Manager of LivingSocial.com's application security team where he built their security program before leaving for his true home as the CTO of nVisium Security, a VA-based application security company. Ken is the primary developer of the Web Exploitation Framework and contributes to other open source application security projects as often as time permits. He has spoken at AppSec DC 2010 and 2012, OWASP NoVA and Phoenix chapters, Northern Virginia Hackers Association (NoVAH) and is a contributor to the Attack Research team.




  • GoatDroid Abstract:
Like it or not, your developers copy and paste code and "borrow" ideas from open source projects. This presentation will detail the results of analyzing over 100,000 Android applications available publicly on GitHub. We will examine the most prevalent frameworks and libraries in use and discuss their implications for security. Our focus is less theoretical and more practical based on what developers are actually doing and using within their apps. From there, we will take a deeper look at common vulnerabilities that are systemic throughout the Android application ecosystem. We will look at specific examples of vulnerable real-world applications, and fix code on the fly.
  • About the Speaker:
Jack Mannino is the CEO of nVisium Security, a VA-based application security company. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.


December 2012

  • Date & Time: Thursday, December 13, 2012 from 6:30 PM to 9:00 PM (ET)
  • Location: Room 108 on the first level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University
  • Topics: Thread Modeling
  • About the Speaker:
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.


September 2012

  • Date & Time: Monday, September 24, 2012 from 6:30 PM to 9:00 PM (ET)
  • Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi
  • Topics: Top 10 Web Defenses through Secure Application Programming
  • Abstract:
Top Ten Web Defenses We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
  • About the Speaker:
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.


May 2012

  • Date & Time: Thursday, May 10, 2012 from 7:00 PM to 9:30 PM (ET)
  • Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
  • Topics: OWASP Top 10 Mobile Risks / Practical Android Security
  • Abstract:
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.
Topics:
  • Mobile Application Security
  • OWASP GoatDroid
  • OWASP MobiSec
  • About the Speaker:
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.


February 2012

  • Date & Time: Thursday, February 16, 2012 from 7:00 PM to 9:30 PM (ET)
  • Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
  • Topics: Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.
  • Abstract:
Topics:
  • Overview of BackTrack
  • Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)
  • Overview of the lab challenge (covers multiple owasp top 10 vulns)
Laptops are needed if you wish to participate in the lab exercise!
  • About the Speaker:

Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.


September 2011

  • Date & Time: Thursday, September 22, 2011 from 6:30 PM to 9:30 PM (ET)
  • Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000
  • Topics: Web application Vulnerabilities & Round Table Discussions Coordinated by Ryan Behan
  • Abstract:
Helen Gao - Cross-site scripting, the most prevalent. Web application vulnerability: Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.
  • About the Speaker:
Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.




  • Abstract:
Topics:
  • Recent Attack on Infraguard Website.
  • Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?
  • LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?
  • About the Speaker:
Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure.


May 2011

May

  • Date: Saturday, May 14, 2011
  • Time: 12:30pm - 3:30pm
  • Location: Student Center, Hosftra University, Hempstead, NY 11549-1000
  • Topics & Speakers:


Robert Gezelter -
Minimum Necessary Implementation: Reducing Attack Surface increase Security
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX).
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers. We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs.

About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect.


March 2011

  • Date & Time: Sunday, March 27, 2011 from 12:00 PM to 3:00 PM (ET)
  • Location: 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753
  • Topics: Intro to the OWASP Mobile Project, The Exploit Intelligence Project and Demo / Web Vulnerabilities Intro
  • Abstract:
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.
  • About the Speaker:
Rajendra Umadas, OWASP Member




  • Abstract:
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.
  • About the Speaker:
Dan Guido, OWASP NY/NJ Board Member




  • Abstract:
WebScarab Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.
  • About the Speaker:
Ryan Behan, OWASP LI Board Member


  • Helen Gao - Helen is passionate about information security. She founded the Long Island chapter in 2006. Helen works in the Garden City office of TIBCO Software Inc. She is a senior software architect. She is also a Certified Information Systems Security Professional, CISSP. Helen was the OWASP Security Person of the Year in 2012.


  • Dr. Kees Leune - Dr. Leune is Adelphi University's Information Security Officer, where his responsibilities include all aspects of the University's information security posture, include strategy, architecture, policy and incident response. He teaches as an adjunct professor, and is a gold adviser for the Global Information Assurance Certification (GIAC). Kees is active on Twitter as @leune and (occasionally) blogs at www.leune.org.


  • Frank Zinghini - Frank is founder and president of Applied Visions Inc. (AVI), a software engineering firm specializing in custom application development for commercial and government customers. The Secure Decisions division of AVI specializes in cyber security research and development for the Department of Defense, Department of Homeland Security, and the Intelligence Community; that research has produced Code Dx, an Application Security Testing platform that integrates open source and commercial SAST and DAST technology for effective analysis and remediation of software vulnerabilities.

External Links