OWASP Long Island
Welcome to the Long Island chapter homepage.
Click here to join the local chapter mailing list.
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
News & Chapter Meeting
Thank you to all those who attended the November 17th meeting.
The OWASP Long Island chapter's last meeting was held Thursday, November 17th from 7pm-10pm. It was the first joint event between IEEE and OWASP participants. Dr. Kees Leune, an infosec expert and instructor organized and led a hands-on lab using a virtual network. Participants experienced first hand the most critical risks of web applications. We decided to continue this fun and learning experience in the next meeting sometime in January. Stay tuned!
Call For Topics & Speakers
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a LI board member.
2012 Meeting Schedule
The information on this page is subject to change
- Time: 7:00pm-9:30pm
- Location: Adelphi University
- Topics: OWASP top 10 Vulnerability Lab
- Date: Thursday, November 17
- Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University.
- Time: 7:00pm-9:30pm
- Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly.
- Meeting Agenda:
Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.
- Overview of BackTrack
- Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)
- Overview of the lab challenge (covers multiple owasp top 10 vulns)
Laptops are needed if you wish to participate in the lab exercise!
About the Speaker -
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.
- Date: Thursday, September 22, 2011
- Time: 6:30pm - 9:30pm
- Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000
- Topics & Speakers:
Helen Gao - Cross-site scripting, the most prevalent. Web application vulnerability:
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.
About the Speaker - Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.
Round Table Discussions Coordinated by Ryan Behan:
Topics - Recent Attack on Infraguard Website. Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?
About the Speaker - Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure.
- Date: Saturday, May 14, 2011
- Time: 12:30pm - 3:30pm
- Location: Student Center, Hosftra University, Hempstead, NY 11549-1000
- Topics & Speakers:
Robert Gezelter -
Minimum Necessary Implementation: Reducing Attack Surface increase Security
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers. We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs.
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect
Date: 3/27/2011 Sunday
Place: 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753
Rajendra Umadas, OWASP Member
Intro to the OWASP Mobile Project
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.
Dan Guido, OWASP NY/NJ Board Member
The Exploit Intelligence Project
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.
WebScarab Demo / Web Vulnerabilities Intro WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.
Free pizza and beverage will be provided. After event networking will be held at a local bar.