Next Event 23 Jan (Wednesday)
Location: Bellevue Las Margaritas
437 108th Ave NE
Bellevue, WA 98004
Waqas Nazir, V-Empower
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.
Presentation Title: Emerging threats in Web 2.0
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).
Chris Clark, iSEC Partners
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.
Presentation Title: Ruby on Rails Security
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.
Last Event 29 Nov (Thurs)
Location: Bellevue Las Margaritas
437 108th Ave NE
Bellevue, WA 98004
Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".
Presentation Title: Hunting security bugs in your code
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.
David E Stevens III, Senior ROI Analyst, Symplified Inc.
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!
2/28/2007 @ 6PM PST - Seattle chapter meeting
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)
Time: 6 o’clock.
- Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:
- Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
- OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
- 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
- Brad Hill (Senior Security Consultant with iSEC Partners), will be speaking on:
- XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.
1/8/2007 @ 6 o'clock - Seattle chapter meeting.
Details: Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/) Time: 6 o’clock.
Ward Spagenberg of IOActive on the topic "Unraveling PCI".
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order. We look forward to seeing you all there!