- 1 OWASP Orange County
- 2 Participation
- 3 Sponsorship/Membership
- 4 Sponsor
- 5 Local News
- 5.1 Future Meetings
- 5.2 Previous Meetings
- 5.2.1 September 14th 2011 7PM
- 5.2.2 June 29th 2011 7PM
- 5.2.3 January 28th, 2011
- 5.2.4 Thursday, January 21st 2010
- 5.2.5 Thursday December 17th 2009
- 5.2.6 Thursday, November 19th 2009
- 5.2.7 Wednesday, October 14th 2009
- 5.2.8 Thursday, September 17th, 2009 7:30PM
- 5.2.9 Apr 30, 2009 6:30PM-8:30PM
- 5.2.10 Feb 19, 2009 6:30PM-8:30PM
- 5.2.11 Dec 17, 2008 6PM - 9PM
- 5.2.12 Aug 27, 2008, 7 PM - 9 PM
- 6 Orange County OWASP Board Members
OWASP Orange County
Click here to join the local chapter mailing list.
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? The chapter leaders are Neil Matatall, Rob LaViolette, and Shong Chong.
Follow OWASP OC on Twitter: https://twitter.com/OWASPOC for the latest news (so I don't spam your inboxes)
March 21st 2012 7PM
When: March 21st 7pm
Where: Irvine - 5151 California Ave, Irvine, CA 92617
Loose Schedule: 7:00 - 7:30: Introduction and networking 7:30 - 8:30: Presentation
Keeping Up With Web Based OSes: Security in the Dawn of the Mobile Age:
"What time is it?" Check your iPhone. "How much money is in my bank account?" Check your iPhone. Everywhere, the smart phone and the "anywhere" Internet have changed the way we function. This also means our approaches to security need to shift fundamentally. Old relics like firewalls are the least of our concerns now that hundreds of applications can be stored on one centralized server and accessed by millions at any one time. Simplified OSs, the need for instant data, and demand for new services are driving the security industry to new places, but how do we keep up? This presentation will address the pitfalls of mobile application security. Specifically, Matt has conducted extensive real-world impact research surrounding Google's ChromeOS and has discovered a slew of serious and fundamental security design flaws. With no more than a single mouse-click users maybe be victimized by various methods, including: • Exposing all user email, contacts, and saved documents. • Conducting high speed scans their intranet work and revealing active host IP addresses. • Spoofing messaging in their Google Voice account. • Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains. With the cloud and Web-based operating systems poised to make an impact on our computing future, Matt will share his research through a series of live demonstrations of these new attack pathways.
Matt Johansen is the head of the Threat Research Center at WhiteHat Security where he leads a group of 50+ web hackers and oversees & assesses more than 5,700 web applications for many Fortune 500 companies across a range of technologies. He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.
September 14th 2011 7PM
When: Wednesday September 17th 7pm Where: TBD (Irvine) http://www.meetup.com/ocrails/events/30043551/
Loose Schedule: 7:00 - 7:30: Introduction and networking 7:30 - 8:00: Brakeman with Justin Collins 8:00 - 8:15: Lightning Rounds 8:15 - 8:30: Brakeman Demo
Brakeman with Justin Collins: While the popular Ruby on Rails web framework provides built-in protection for many security vulnerabilities, it is still possible to misuse these features or introduce other vulnerabilities to an application. Brakeman is a static code analysis tool designed specifically to find vulnerabilities and configuration issues in Ruby on Rails applications. Since it works at the source code level, Brakeman can be used at any point in development without the need for deploying the full application stack. To make it even simpler, Brakeman can be integrated with Hudson/Jenkins to provide automatic monitoring of Brakeman results as code is committed. This talk will discuss how to use Brakeman and how it can help you create safer Rails applications.
Neil Matatall: Friendly_id + ancsetry
Drew Deponte: Guard, spork, BDD
June 29th 2011 7PM
When: Wednesday june 29th, 2011 7pm
Where: HireRight Offices 5151 California Avenue Irvine, CA 92617
Pizza and refreshments will be provided by the sponsors of this meeting.
Featuring analysis of more than 220 data breach investigations and more than 2,300 penetration tests conducted by Trustwave's SpiderLabs, the Global Security Report 2011 identifies the top vulnerabilities business encountered in 2010 as well as a list of strategic initiatives to help your business improve its overall security.
The data gathered from these engagements is substantial and comprehensive. This presentation will be a summary of the results of the analysis of the data gathered during 2010. The results will be presented both technical and business impact analysis.
Charles Henderson, Director of Application Security Services of SpiderLabs at Trustwave
Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services.
Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe.
Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.
January 28th, 2011
Registration link: 
Time: 1 PM - 5PM
5151 California Ave
Irvine, California 92617
Topics: Threat Modeling, Application Security
Online Privacy and the Evercookie
Samy Kamkar has lectured on computer security issues in over a dozen countries, and his work has been featured on the front page of the New York Times. As a grey-hat hacker, he makes and breaks computer security for tech companies. In addition to his independent security research, he co-founded Fonality, an IP PBX company.
Back to Basics: Defensive Coding Principles for Web Development 101
The application security community is in deep need of prescriptive solutions for developers. This talk will review the world of Web Application Security from a "builder" point of view, focusing on critical controls that all developers must master if they wish to build low risk web applications today.
Jim Manico is the chair of the OWASP Connections committee where he focuses on producing and hosting the OWASP Podcast. Jim also is a co-manager of the OWASP ESAPI Open Source project. Professionally, Jim is an independent application security architect specializing in the construction of low-risk web applications. Jim is also an application security educator and assessment specialist.
Edward Bonver Talk Title:
Threat Modeling at Symantec File:OWASP-WWW-2011-Edward-Bonver-Threat-Modelint-at-Symantec.pptx
Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.
Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks.
Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.
Thursday, January 21st 2010
Time: 7:30 Location: We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building. http://www.oit.uci.edu/computing/labs/training.html Buliding #653 in quadrant H9 on the campus map - http://today.uci.edu/pdf/UCI_09_map_campus_core.pdfBD
For those who would like to avoid paying for parking, you can park in the University Center and take the campus shuttle: http://www.shuttle.uci.edu/maincampus/index.php
The shuttle runs until 10:45PM. The shuttle costs $1 per ride, but fees are rarely collected ;)
Title: Do VLANs allow for good application security?
Virtual Local Area Networks (VLANs) are not a new concept, and can help any organization better control network access. I will present some of the previous issues identified, what was the root cause, and how these have been fixed in current technology. In addition we will talk about how this can help to enhance security in your environment, and what controls must be in place in order to implement such an environment. We will also touch on how this can complicate your application environment, but improve overall security.
I will touch on the controls that need to be reviewed and audited when working with VMware, VLANs, and web applications, to ensure that these networks are secure, and what to look for to potentially pass audit criteria. I will also talk about where and how these controls have been implemented in order to protect thousands of users while accessing one of the most hostile networks in the world.
David M. N. Bryan Senior Security Consultant
David has over 9+ years of computer security experience including, consulting, engineering and administration. He has performed security assessment projects for health care, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world.
He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.
Thursday December 17th 2009
7:30 PM, UC Irvine Campus, Room AIRB 1020
We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building. http://www.oit.uci.edu/computing/labs/training.html Buliding #653 in quadrant H9 on the campus map - http://today.uci.edu/pdf/UCI_09_map_campus_core.pdf
Title: Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications
As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.
Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.
Michael Sutton Vice President, Security Research – Zscaler
Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.
Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.
Thursday, November 19th 2009
When: November 19th 2009, 7:30PM Where: Gina's Pizza, Irvine Topics: Facebook privacy, web application firewalls, penetration testing, the reluctance for hackers to execute attacks, and random new technology. Announced OWASP OC/LAs intention to submit a proposal for AppSec 2010.
Wednesday, October 14th 2009
Separate meetings will be held for OWASP OC and OWASP@UCI (student group).
When: Wednesday 10/14 7:30PM Where: Steelhead Brewery Topics: News, Ideas, Chit-chat
This is a restaurant/bar with plenty of seating, but room for a projector is out of the question so this would be an informal round table discussion.
I have a presentation I'm working on regarding WAFs and Vulnerability Assessment Tools. If it pleases the group, I'd love to go over the presentation and discuss everyone's experiences. Also, it's a great way to get feedback :)
I'm open to suggestions of any kind: location, time, topics, etc
Thursday, September 17th, 2009 7:30PM
Location: UC Irvine Building: Calit2 building,building number 325 in quadrant H8 on the UC Irvine Map Room: 3008
Parking will be $7. Please park in the Anteater Parking Structure
I can only unofficially say that if you park in the nearby shopping centers and walk, you may be able to park for free.
- The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks
Apr 30, 2009 6:30PM-8:30PM
Brooklyn Pizza Works, 1235 East Imperial Highway, Placentia, CA
Our fourth OC OWASP meeting will be an informal, roundtable discussion of current application security issues. Feel free to bring some ideas, code, slides, etc to contribute to the discussion. Hope to see everyone there!
Feb 19, 2009 6:30PM-8:30PM
Brooklyn Pizza Works, 1235 East Imperial Highway, Placentia, CA
Come talk application security at the third OWASP OC meeting. We'll discuss current application security topics and chapter issues over pizza. We have a room booked for 15-20 people so we'll be able to rant without disturbing the patrons :) See you there! Presentation Slides
Dec 17, 2008 6PM - 9PM
Microsoft Campus Room MPR1, 3 Park Plaza, Suite 1600, Irvine, CA, 92614
This meeting will be a roundtable discussion of application security news, plus a few OWASP-themed challenges with prizes. Pizza will be provided and we'll head to the Yard House after the meeting.
Aug 27, 2008, 7 PM - 9 PM
603 Valencia, Brea, CA 92822
Come meet up with web security professionals, have some pizza, and offer your thoughts for the direction of the OC chapter at our inaugural meeting! We are looking for speakers and venue sponsors for the next meeting. If you are interested, please contact the chapter leaders. Everyone is welcome to join us at our chapter meetings.
Orange County OWASP Board Members
- Orange County Co-President Neil Matatall
- Orange County Co-President Shong Chong
- Orange County Co-President Rob LaViolette
- Orange County Treasurer: [mailto: TBD]
- Orange County Recording Secretary: [mailto: TBD]
- Orange County Board Member [mailto: TBD]
- Orange County Board Member: [mailto: TBD]
- Orange County Board Member: [mailto: TBD]