Difference between revisions of "Los Angeles"

From OWASP
Jump to: navigation, search
Line 23: Line 23:
 
----
 
----
  
==== Topic: passw3rd<br>  ====
+
==== Topic: passw3rd: friends don't let friends store passwords in source code<br>  ====
  
<br>We all know passwords in source code is bad. What many don't know is that passwords in other files are bad too. Moving your passwords to config files, symlinked directories, to even requiring a password to<br>be typed in upon launch is just silly. Passw3rd is a ruby and java client to create encrypted files which contain your passwords that can be read by source code. Passwords can be checked into SCM and<br>distributed. The keys are generated per environment and locked down with simple OS RBAC. Included with the project is a POC which uses HSMs to store the passwords, and using passw3rd for the "master"<br>password for that role.
+
Passw3rd is a encryption library intended to encrypt and store passwords outside of source code. This is a problem that has been solved in hundreds of half-baked ways, or it is a problem that is often overlooked.<br>  
  
 
Some advantages of keeping credentials out of source code are:  
 
Some advantages of keeping credentials out of source code are:  
  
Credentials are not passed around when source code is shared.<br>Unintentional exposure of source code does not reveal credentials.<br>Read-access to source code can be much more permissive.<br>Source code can be checked into version control systems without concern for exposure of credentials.<br>It is easier to change credentials without having to worry about changing all instances.<br>Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you<br>are less likely to want to do it.  
+
Credentials are not passed around when source code is shared.<br> Unintentional exposure of source code does not reveal credentials.<br> Read-access to source code can be much more permissive.<br> Source code can be checked into version control systems without concern for exposure of credentials.<br> It is easier to change credentials without having to worry about changing all instances.<br> Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.<br>  
 
+
https://github.com/oreoshake/passw3rd<br>http://rubygems.org/gems/passw3rd .
+
 
+
<br>  
+
  
 
==== Speaker: Neil Matatall<br>  ====
 
==== Speaker: Neil Matatall<br>  ====
  
&nbsp;more details forthcoming.  
+
Neil Matatall is an independent contractor who has an equal background in development and information security. After graduating from UC Irvine with a specialization in networks and distributed systems, Neil entered the workforce and became heavily involved in communities. After becoming the leader for the OWASP Orange County chapter, Neil helped organize two conferences including AppSec USA 2010. He was also a part of the OWASP Summit of 2011. Neil's new work is focused on Rub, logging, and analytics with a strong interest in Ruby on Rails. <br>  
 
+
<br>  
+
 
+
<br>
+
 
+
==== Topic: Coming Soon  ====
+
 
+
==== Speaker: Coming Soon  ====
+
 
+
more details forthcoming.
+
  
 
<br>  
 
<br>  

Revision as of 16:43, 8 November 2011

Contents

Local News

Sign up for OWASP Los Angeles mailing list, very low volume and spam free.
https://lists.owasp.org/mailman/listinfo/owasp-losangeles

funds to OWASP earmarked for Los Angeles.


Next Chapter Meeting:  Wednesday, November 30, 2011 7:00 P.M. - 9:00 P.M. (Note different date)

Great talks and free catered dinner for all attendees!

Location:

Symantec
900 Corporate Pointe (just off of Slauson)
Culver City, CA 90230

Please RSVP: http://owasp-november2011.eventbrite.com



Topic: passw3rd: friends don't let friends store passwords in source code

Passw3rd is a encryption library intended to encrypt and store passwords outside of source code. This is a problem that has been solved in hundreds of half-baked ways, or it is a problem that is often overlooked.

Some advantages of keeping credentials out of source code are:

Credentials are not passed around when source code is shared.
Unintentional exposure of source code does not reveal credentials.
Read-access to source code can be much more permissive.
Source code can be checked into version control systems without concern for exposure of credentials.
It is easier to change credentials without having to worry about changing all instances.
Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.

Speaker: Neil Matatall

Neil Matatall is an independent contractor who has an equal background in development and information security. After graduating from UC Irvine with a specialization in networks and distributed systems, Neil entered the workforce and became heavily involved in communities. After becoming the leader for the OWASP Orange County chapter, Neil helped organize two conferences including AppSec USA 2010. He was also a part of the OWASP Summit of 2011. Neil's new work is focused on Rub, logging, and analytics with a strong interest in Ruby on Rails.


Meeting Sponsor: AlgoSec

AlgoSec Logo.gif

Founded in 2003, AlgoSec enables security and operations teams to intelligently manage, analyze and optimize security policies within firewalls, routers and related devices. The software suite increases operational efficiency and improves risk mitigation for organizations worldwide. Today, more than 800 enterprises, MSSPs and auditors in over 40 countries and across all industry verticals use AlgoSec solutions. From mid-sized enterprises and Fortune 500 companies to all Big Four auditing firms, organizations choose AlgoSec for its unique combination of superior technology and commitment to customer satisfaction.



Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to Tin Zaw. When we accept your talk, it will be required to use the Powerpoint OWASP Template.


Other Events

OWASP Holiday Gathering December 14, 2011 6:30-8:30PM

  Downtown Daily Grill
  612 S. Flower Street • Los Angeles, CA 90017
  (213) 622-4500 • (213) 629-2974 (fax)
  downtowndg@dailygrill.com • www.dailygrill.com


ISSA-LA holds a lunch meeting on the 3rd Wed of each month, for more information visit www.issa-la.org.


Archives of Previous Meetings

2011 Meetings

2010 Meetings

2009 Meetings

2008 Meetings

List of presentations available from past meetings


Los Angeles Chapter


The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos

AppSec Logo.jpg