Difference between revisions of "Rhode Island"

From OWASP
Jump to: navigation, search
(21 intermediate revisions by one user not shown)
Line 1: Line 1:
 
{{Chapter Template|chaptername=Rhode Island|extra=The chapter leader is [mailto:patrick.laverty@owasp.org Patrick Laverty].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-rhodeisland|emailarchives=http://lists.owasp.org/pipermail/owasp-rhodeisland}}
 
{{Chapter Template|chaptername=Rhode Island|extra=The chapter leader is [mailto:patrick.laverty@owasp.org Patrick Laverty].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-rhodeisland|emailarchives=http://lists.owasp.org/pipermail/owasp-rhodeisland}}
  
 +
=LinkedIn Group=
 +
Please join our LinkedIn Discussion group and join in the conversation: [http://www.linkedin.com/groups/OWASPRhode-Island-4895793?trk=myg_ugrp_ovr LinkedIn Discussions]
  
 +
=ListServ=
 +
Please join our listserv (link on the left "Mailing Lists") and find out about upcoming meetings. This is a "push-only" list and will only be used for meeting announcements and membership list is never shared with anyone.
  
We also already have our July speaker to announce as well, Brandon Levene will talk to us about a "Basic Malware Analysis Primer". More details to come, but look for that meeting on July 17th.
+
=OWASP AppSecUSA=
 +
Please consider attending AppSec USA, OWASP's national conference. It will be held this year in Times Square in the heart of New York City, at the Marriott Marquis hotel from November 18-21. There is even a discount for registering early. You can get all the conference information here at [http://www.appsecusa.org AppSec USA]
  
See you on June 4th and have a great holiday weekend!
+
= Next Meeting =
 +
'''September 23, 5:45 pm
 +
JavaScript Verification: From Browsers to Pages<br />
  
== Next Meeting ==
+
<p>Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer.  This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser.  I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions.  I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.</p>
'''Tuesday October 9, 6:45 pm'''
+
 
'''The Evolution of the Information Security Management Function'''<br />
+
<p>Bio:  Benjamin Lerner is a post-doctoral researcher in the PLT group at Brown University, and soon to be a lecturer at Northeastern UniversityHis research examines the challenges of analyzing client-side web programming, from the behavior of web pages down through the semantics of the browser.  He received a PhD in Computer Science from the University of Washington in 2011, building a platform to analyze conflicts between browser extensions, and a B.S. in Computer Science and Mathematics from Yale University.</p>
Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rulesIn this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.<br />
+
 
David Sherry, CISO, Brown University<br>
+
Food and beverages will be provided by our host and sponsor, [http://www.swipely.com Swipely]!
 +
 
 +
== Location ==
 +
Swipely Headquarters
 +
 
 +
39 Pike Street (sole building in median between al Forno and the Shell station)
  
'''Location:'''<br>
 
Brown University Continuing Education
 
200 Dyer Street
 
 
Providence, RI
 
Providence, RI
[https://maps.google.com/maps?q=200+Dyer+Street,+Providence+ri&ie=UTF-8&hq=&hnear=0x89e44515a1d257ab:0xb73c2a45e92559d9,200+Dyer+St,+Providence,+RI+02903&gl=us&ei=FMrHT5jnPObN6QGlz7XRDw&oi=geocode_result&ved=0CAsQ8gEwAA|map]
 
  
== Future Meetings ==
 
  
  '''Tuesday November 6, 6:45 pm'''
+
= Past Meetings =
 +
 
 +
  '''Monday, April 15, 5:45 pm
 +
Evolving WAS - Taking remediation to the next level<br>
 +
 
 +
<p>It will be presentation and discussion around some of the things he has found helpful in building and evolving security programs over the past few years. It will cover everything around building a program from the low level like scan engine choice, all the way to the high level needs like senior management buy-in techniques to establish a sustainable program. By Nick MacCarthy</p>
 +
 
 +
 
 +
'''Monday March 4, 5:45 pm
 +
 
 +
Hands-on Hacking<br>
 +
 
 +
<p>If you remember our March 2012 meeting, we had Allison Nixon come and show us how to use SQL injection to get access to a web database, as well as how to prevent it. We learned how to think like a hacker. We'll we're going to bring that back and do something similar. Except this time, we're going to make it even more fun by turning it into a sort of capture the flag. We'll stay educational and non-competitive, and we'll aim to have multiple levels of flags to obtain.<p>
 +
 
 +
<p>We will look to have a lecture/lesson portion on SQL injection, then the hands-on time. We will then try to repeat the process for Cross-Site Scripting (XSS) where you can learn and play with the dangers of this vector.</p>
 +
 
 +
<p>Please bring your own laptop to be involved with the lessons. As always, we are demonstrating these techniques to help developers think like the attackers and so we can better understand the vectors and better understand how to protect our sites and code. OWASP, the organizers and sponsors do not condone illegal activity.  We also remind you to never use these techniques against a site or network that you either do not own or do not have explicit, written permission to perform them on. In other words, don't blame us if you get arrested.</p>
 +
 
 +
'''Wednesday November 7, 5:45 pm'''
 
PCI in the Cloud<br>
 
PCI in the Cloud<br>
 +
<p>Interested in cloud security and compliance?  Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort.  At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank.  Learn how a startup can achieve Level 1 PCI Compliance through isolation, technology selection, and aggressive automation, all while promoting a security-conscious and agile engineering culture.</p>
 
Bright Fulton - [Swipely | http://www.swipely.com]/<br />
 
Bright Fulton - [Swipely | http://www.swipely.com]/<br />
 
200 Dyer Street, Providence, RI
 
200 Dyer Street, Providence, RI
  
== Past Meetings ==
+
'''Tuesday October 9, 6:45 pm'''
 +
'''The Evolution of the Information Security Management Function'''<br />
 +
Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rules.  In this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.<br />
 +
David Sherry, CISO, Brown University<br>
  
 
  '''Tuesday September 18, 6:45 pm'''
 
  '''Tuesday September 18, 6:45 pm'''

Revision as of 07:44, 9 September 2013

Contents

OWASP Rhode Island

Welcome to the Rhode Island chapter homepage. The chapter leader is Patrick Laverty.
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

LinkedIn Group

Please join our LinkedIn Discussion group and join in the conversation: LinkedIn Discussions

ListServ

Please join our listserv (link on the left "Mailing Lists") and find out about upcoming meetings. This is a "push-only" list and will only be used for meeting announcements and membership list is never shared with anyone.

OWASP AppSecUSA

Please consider attending AppSec USA, OWASP's national conference. It will be held this year in Times Square in the heart of New York City, at the Marriott Marquis hotel from November 18-21. There is even a discount for registering early. You can get all the conference information here at AppSec USA

Next Meeting

September 23, 5:45 pm

JavaScript Verification: From Browsers to Pages

Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer. This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser. I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions. I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.

Bio: Benjamin Lerner is a post-doctoral researcher in the PLT group at Brown University, and soon to be a lecturer at Northeastern University. His research examines the challenges of analyzing client-side web programming, from the behavior of web pages down through the semantics of the browser. He received a PhD in Computer Science from the University of Washington in 2011, building a platform to analyze conflicts between browser extensions, and a B.S. in Computer Science and Mathematics from Yale University.

Food and beverages will be provided by our host and sponsor, Swipely!

Location

Swipely Headquarters

39 Pike Street (sole building in median between al Forno and the Shell station)

Providence, RI


Past Meetings

Monday, April 15, 5:45 pm

Evolving WAS - Taking remediation to the next level

It will be presentation and discussion around some of the things he has found helpful in building and evolving security programs over the past few years. It will cover everything around building a program from the low level like scan engine choice, all the way to the high level needs like senior management buy-in techniques to establish a sustainable program. By Nick MacCarthy


Monday March 4, 5:45 pm

Hands-on Hacking

If you remember our March 2012 meeting, we had Allison Nixon come and show us how to use SQL injection to get access to a web database, as well as how to prevent it. We learned how to think like a hacker. We'll we're going to bring that back and do something similar. Except this time, we're going to make it even more fun by turning it into a sort of capture the flag. We'll stay educational and non-competitive, and we'll aim to have multiple levels of flags to obtain.<p> <p>We will look to have a lecture/lesson portion on SQL injection, then the hands-on time. We will then try to repeat the process for Cross-Site Scripting (XSS) where you can learn and play with the dangers of this vector.

Please bring your own laptop to be involved with the lessons. As always, we are demonstrating these techniques to help developers think like the attackers and so we can better understand the vectors and better understand how to protect our sites and code. OWASP, the organizers and sponsors do not condone illegal activity. We also remind you to never use these techniques against a site or network that you either do not own or do not have explicit, written permission to perform them on. In other words, don't blame us if you get arrested.

Wednesday November 7, 5:45 pm

PCI in the Cloud

Interested in cloud security and compliance? Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort. At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank. Learn how a startup can achieve Level 1 PCI Compliance through isolation, technology selection, and aggressive automation, all while promoting a security-conscious and agile engineering culture.

Bright Fulton - [Swipely | http://www.swipely.com]/
200 Dyer Street, Providence, RI

Tuesday October 9, 6:45 pm

The Evolution of the Information Security Management Function
Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rules. In this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.
David Sherry, CISO, Brown University

Tuesday September 18, 6:45 pm

There is No Patch For Human Stupidity
Darren will come and show us all the fun and foibles that come with the confidence game, also known as social engineering. Learn how to look out for people just trying to get information from you and steal all your secrets. Outsmart the smart people by just saying no.
Darren Wigley, NWN Corporation

Tuesday August 21, 6:45 pm

Finding All The Ninjas in the Forrest: Web Application Testing Strategies Revisited
Have you ever wondered what you might miss if an organization had over 800 web applications? How do you know where all your web applications exist? What if your targets built in traps for you to fall into? Finding, discovering, enumerating and testing for web application vulnerabilities is a tedious process. To top it all off, the remediation is rarely as easy as applying a patch or updating a configuration setting. Learn some tips and tricks to conduct more effective web application tests and help with remediation efforts. Paul Asadoorian - PaulDotCom (http://www.pauldotcom.com)

Tuesday July 17, 6:45 pm

Practical Malware Analysis 101 Brandon Levene - Dell SecureWorks This will be an introduction to modern malware as the primary vector of intrusions. Detection of malware is crucial, and equally important is being able to differentiate between true and false positives. During this talk I will introduce techniques used by the industry to identify potentially malicious software without disassembly or debugging. Location: Brown University Continuing Education 200 Dyer Street Providence, RI [1]

Monday June 4, 6:45 pm

Our next meeting is Monday, June 4, 6:45 pm at Swipely's headquarters in Providence's Jewelry District. The address is 39 Pike St in Providence (Google maps shows the church, but that's not it). The building also faces Benefit Street, across from Al Forno and has a billboard on the roof, near the Shell station. Come in through the side entrance.

You are all among the first to hear the great news about the Providence Web Application Security Group. As of April 25, we were granted chapter status with the Open Web Application Security Project (OWASP) for Rhode Island. This is a great development and you can find out more about OWASP at http://www.owasp.org

But if you don't want to surf the site to learn more, no worries, just come to the next meeting on Monday, June 4 to hear Tom Brennan from the OWASP International Board of Directors (via videoconference) tell us all about OWASP and everything they do and everything that is available to you. One of the best parts about OWASP is everything they do is FREE! They have free security tools, some free books, some free training, free videos, free meetings to attend and it's free to participate and contribute to new projects.

Also at the meeting, in keeping with the OWASP Security Blitz we will also have Paul McAndrew from Dell's Secureworks group to talk about Cross Site Scripting (XSS). Paul is a Security Analyst at Dell SecureWorks responsible for analysis and event management on thousands of IDS/IPS/WAF devices deployed globally. This broad view of the Internet gives insight into the current threat landscape and new threats as they are emerging. Paul has been a security hobbyist for over 10 years, with a specific interest in network and web application security.