Difference between revisions of "San Jose"

From OWASP
Jump to: navigation, search
(Next Meeting - Thursday, June 29, 2006)
(Next Meeting - Thursday, June 29, 2006)
Line 1: Line 1:
 
{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}
 
{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}
  
== Next Meeting - Thursday, June 29, 2006 ==
+
== Next Meeting - Thursday, August 10, 2006 ==
 
Open to the public, attendance is free
 
Open to the public, attendance is free
  
Line 7: Line 7:
 
6:00pm – 6:30pm      Check-in and reception (food & bev)<br/>
 
6:00pm – 6:30pm      Check-in and reception (food & bev)<br/>
 
6:30pm – 6:40pm      Chapter announcements<br/>
 
6:30pm – 6:40pm      Chapter announcements<br/>
6:40pm – 7:30pm      FoRMa for Secure Software Development, Kris Kahn, Seagate Technology<br/>
+
6:40pm – 8:00pm     The Next Generation of Vulnerable Applications, Alex Stamos, iSec Partners <br/>
7:35pm – 8:25pm     JavaScript Attacks & Intranet Applications, Jeremiah Grossman, WhiteHat Security<br/>
+
8:00pm 8:30pm     Open discussion & Networking<br/>
8:30pm 9:00pm     Open discussion & Networking<br/>
+
  
 
'''Venue:'''<br/>
 
'''Venue:'''<br/>
Line 17: Line 16:
  
  
'''Framework of Risk Management & Analysis (FoRMA) for Secure Software Development'''<br/>
+
'''The Next Generation of Vulnerable Applications'''<br/>
'''''Presented by: Kris Kahn, Sr. Governance Analyst, Seagate Technology'''''<br/>
+
'''''Presented by: Alex Stamos, Founding Partner, iSEC Partners'''''<br/>
'''Abstract:'''  We frequently apply Risk Management concepts in our daily lives, whether it’s driving in the rain on the freeway, or crossing a busy intersection.  It comes down to making a choice, taking a calculated risk to reach our objective. We decide quickly, making assumptions about the threats and about our environmentThe lessons we learn from our failures help us make wiser decisions next time, if we survive.
+
'''Abstract:'''  Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications.  Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in eachWe will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.  
 
 
Using a new Framework of Risk Management & Analysis (FoRMA) for Secure Software Development, we will be able to make better decisions by understanding our threats.  FoRMA will help us ensure that we have the appropriate level of protection to maximize our business objectives, increasing quality and minimizing cost.
 
  
 +
'''Bio:''' Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization.  Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.  He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.
 +
 +
Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake.  Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server.  He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks. 
  
'''Bio:''' Kris Kahn, CISSP-ISSAP,ISSMP, CISA, OPSA, currently a Sr. Governance Analyst at Seagate Technology. Passionate about security for more than 15 years, also worked for companies in the San Francisco Bay Area that include Autodesk, and Best Internet Communications. A CISSP since 2001, his key contributions include firewall architectures, risk management models, security assessment methodologies, and security awareness trainingKris has expertise in offensive, defensive and governance facets of security.
+
Alex has also worked in at a DoE National LaboratoryHe holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.  
 
+
 
+
'''JavaScript Attacks and Threats to Intranet Applications'''<br/>
+
'''''Presented by: Jeremiah Grossman, Founder and CTO, WhiteHat Security'''''<br/>
+
'''Abstract:''' Malicious JavaScript is capable of stealing cookies, capturing keystrokes, monitoring activity and planting root kits.  Attackers are using JavaScript to hijack browser sessions to commit bank fraud, hack other websites, or post derogatory comments in a public forum – all without traces, tracks or warning sirens. Web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.
+
 
+
Most assume while surfing the Web we are protected by firewalls that are isolated through private networks.  We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.  Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. 
+
 
+
The web browser of every user on an enterprise network becomes a stepping stone for intruders.  During this presentation we'll demonstrate a wide variety of cutting-edge web application attack techniques and describe best practices for securing websites and users against these threats.
+
 
+
You’ll see
+
 
+
    * Port scanning and attacking intranet devices using JavaScript
+
    * Blind web server fingerprinting using unique URLs
+
    * Discovery NAT'ed IP addresses with Java Applets
+
    * Stealing web browser history with Cascading Style Sheets
+
    * Best-practice defense measures for securing websites
+
    * Essential habits for safe web surfing
+
 
+
 
+
'''Bio:''' Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security and responsible for web application security R&D and industry evangelism. Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and other industry events. Jeremiah been published in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Prior to WhiteHat, Mr. Grossman served as an information security officer at Yahoo!.
+
 
+
 
   
 
   
Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini] or call 408-979-0571
+
Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]
  
  
 
This event is co-sponsored by [http://www.appsecconsulting.com AppSec Consulting, Inc]. and [http://www.whitehatsec.com WhiteHat Security, Inc.]
 
This event is co-sponsored by [http://www.appsecconsulting.com AppSec Consulting, Inc]. and [http://www.whitehatsec.com WhiteHat Security, Inc.]

Revision as of 11:03, 26 July 2006

OWASP San Jose

Welcome to the San Jose chapter homepage. The chapter leader is Brian Bertacini
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Next Meeting - Thursday, August 10, 2006

Open to the public, attendance is free

Agenda and Presentations:
6:00pm – 6:30pm Check-in and reception (food & bev)
6:30pm – 6:40pm Chapter announcements
6:40pm – 8:00pm The Next Generation of Vulnerable Applications, Alex Stamos, iSec Partners
8:00pm – 8:30pm Open discussion & Networking

Venue:
San Jose Hyatt (Airport)
1740 North First Street
San Jose, CA 95112


The Next Generation of Vulnerable Applications
Presented by: Alex Stamos, Founding Partner, iSEC Partners
Abstract: Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.


Bio: Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake. Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Alex has also worked in at a DoE National Laboratory. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

Please RSVP to via email Brian Bertacini, call 408-979-0571 or visit OWASP.Mollyguard.com


This event is co-sponsored by AppSec Consulting, Inc. and WhiteHat Security, Inc.