Difference between revisions of "Tampa"

From OWASP
Jump to: navigation, search
m
(Next Meeting)
(33 intermediate revisions by one user not shown)
Line 1: Line 1:
== Welcome to the OWASP Tampa Local Chapter ==
+
== Welcome to the OWASP Tampa Local Chapter ==
  
<paypal>Tampa</paypal>
+
<paypal>Tampa</paypal>  
  
Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.
+
Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.  
  
We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-tampa
+
We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-tampa  
  
If you have any questions about the Tampa chapter, please send an email to the chapter leader [http://scr.im/mascasa Justin Morehouse].
+
If you have any questions about the Tampa chapter, please send an email to the chapter leader [http://scr.im/mascasa Justin Morehouse].  
  
The Tampa chapter is sponsored by [http://www.stratumsecurity.com http://www.owasp.org/images/5/59/StratumSecurityTampaOWASP.png]
+
The Tampa chapter is sponsored by [http://www.guidepointsecurity.com GuidePoint Security].
  
Join the OWASP Tampa LinkedIn group [http://www.linkedin.com/groups?about=&gid=2897535&trk=anet_ug_grppro here].
+
Join the OWASP Tampa LinkedIn group [http://www.linkedin.com/groups?about=&gid=2897535&trk=anet_ug_grppro here].  
  
 
A reminder that CISSPs can earn 1 CPE credit for every hour of attendance at OWASP meetings.
 
A reminder that CISSPs can earn 1 CPE credit for every hour of attendance at OWASP meetings.
Line 17: Line 17:
 
== Next Meeting  ==
 
== Next Meeting  ==
  
Our next meeting will be held on Tuesday, September 13 from 6 PM to 8 PM. We will be having both a technical AND a management talk. For the technical talk, Ramece Cave will be presenting 'Hiding in Plain Sight: Identification and Analysis of Anomalous Files.' Kate Mullin will be providing the management talk on 'PCI Compliance 2.0.' Their abstracts are below:
+
Our next meeting will be held on Monday, December 17 from 6 PM to 8 PM. There will be two presentations at this meeting. First, Bryan Orme, VP of Information Assurance at [http://www.guidepointsecurity.com GuidePoint Security] will be presenting "How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked)." We are currently looking for one additional speaker to present at the meeting. If you are interested in presenting, please email [http://scr.im/mascasa Justin Morehouse]. Presentation abstract and speaker bios are below.
  
<br> '''Ramece Cave, Hiding in Plain Sight: Identification and Analysis of Anomalous Files'''
+
The following is an agenda for our next meeting:
 +
<UL>
 +
<LI>5:45 PM to 6:00 PM - Check-in
 +
<LI>6:00 PM to 6:45 PM - First Presentation
 +
<LI>6:45 PM to 7:00 PM - Break
 +
<LI>7:00 PM to 7:45 PM - Second Presentation
 +
<LI>7:45 PM to 8:00 PM - Open Discussion Forum
 +
</UL>
  
This talk discusses methods for identifying and analyzing content left on compromised servers used for distributing malware or malware related components.  
+
Please RSVP to [http://scr.im/mascasa Justin Morehouse] BEFORE 12/14 to be added to the security list.
  
Topics covered in this talk:
+
'''How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked)'''
  
*Common Tools
+
''Abstract''
*Limitations in Tools
+
*Analyzing Files
+
*Identifying File Structure
+
*Caveats
+
  
<br> '''Kate Mullin, PCI Compliance 2.0'''
+
The constant barrage of breaches that we’ve seen over the past several years have made two things very clear—every organization is at risk and every web application is a target. As a security professional, it does not matter whether breaches are brought about by hacktivists such as LulzSec or Anonymous, the acts of criminally minded hackers or nation state sponsored attacks, the consequences of vulnerable web applications can wreak havoc on your company. Attackers are determined, inventive and patient, while your organization’s application portfolio is dynamic, vulnerable and always connected to the Internet. This presentation will discuss why web applications are vulnerable, why they’re under attack, and provide an overview of the most common vulnerabilities found in web applications. Attendees will leave with an understanding of how web applications are attacked, the most common vulnerabilities found in web applications, and how to prevent these vulnerabilities from being identified and exploited in your web applications.
Organizations that have Payment Card Industry Data Security Standard (PCI DSS) requirements are facing challenges related to the new version 2.0 application development requirements. Kate will go over the new requirements as they relate to application development, the new deadlines, and discuss possible approaches. She will also address some of the common misconceptions related to the PCI DSS.  
+
  
<br>
+
''Speaker Bio''
  
The following is an agenda for our next meeting:
+
Bryan Orme, Vice President, Information Assurance – Bryan has over 12 years of working experience in the information security field, primarily focusing on Security Program Strategy, PCI DSS, Application Security, Vendor Management, and Project Consulting. Before joining GuidePoint, Bryan was the Director of Information Security for Capital One where he built and led the Application Security and PCI DSS Programs and was a member of the Scoping and Encryption Special Interest Groups of the PCI Security Standards Council. He earned a BS from James Madison University and a MBA from the Robert H. Smith School of Business at the University of Maryland and holds QSA, CISSP and CISM certifications.
  
*5:45 PM to 6:00 PM - Check-in
+
== Meeting Location  ==
*6:00 PM to 6:45 PM - Technical Presentation
+
*6:45 PM to 7:00 PM - Break
+
*7:00 PM to 7:45 PM - Management Presentation
+
*7:45 PM to 8:00 PM - Open Discussion Forum
+
  
== Meeting Location ==
+
Our next meeting will be held at the [http://www.kforce.com Kforce] building in Ybor. The address is:
We meet quarterly at the [http://www.kforce.com Kforce] building in Ybor. The address is:
+
  
 
[http://maps.google.com/maps?q=1001+East+Palm+Ave.+Tampa,+FL+33605&ll=27.962452,-82.449324&spn=0.008908,0.01929&oe=UTF-8&fb=1&gl=us&cid=0,0,7292050205277130420&z=16&iwloc=A 1001 East Palm Ave. Tampa, FL 33605]
 
[http://maps.google.com/maps?q=1001+East+Palm+Ave.+Tampa,+FL+33605&ll=27.962452,-82.449324&spn=0.008908,0.01929&oe=UTF-8&fb=1&gl=us&cid=0,0,7292050205277130420&z=16&iwloc=A 1001 East Palm Ave. Tampa, FL 33605]
Line 51: Line 48:
 
Park in the Visitor spaces in the main parking lot that is off of East Palm Avenue. You will need to identify yourself at the security desk and ask how to get to Training Room B.
 
Park in the Visitor spaces in the main parking lot that is off of East Palm Avenue. You will need to identify yourself at the security desk and ask how to get to Training Room B.
  
== Presentation Archives ==
+
== Presentation Archives ==
  
OWASP Tampa Day 2011 - PCI for Developers: Lessons from the Real World - Trevor Hawthorn - Presentation Slides [https://www.owasp.org/images/f/f7/OTD2011-TH.pdf here]
+
2012-Q3 - Taming the B.E.A.S.T. - Richard Newman - Presentation Slides [https://www.owasp.org/images/1/10/Taming_the_B.E.A.S.T..pdf here]
  
OWASP Tampa Day 2011 - Top Website Vulnerabilities: Trends, Business Effects and How to Fight Them - Rinaldi Rampen - Presentation Slides [https://www.owasp.org/images/a/aa/OTD2011-RR.pdf here]
+
OWASP Tampa Day 2012 - Changing the Game - Jason Kent - Presentation Slides [https://www.owasp.org/images/0/04/OWASP_Changing_the_Game_-_Jason_Kent.pdf here]
  
OWASP Tampa Day 2011 - How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams - Bruce Jenkins - Presentation Slides [https://www.owasp.org/images/1/12/OTD2011-BJ.pdf here]
+
OWASP Tampa Day 2012 - MDM Technical Presentation - Keith Katz - Presentation Slides [https://www.owasp.org/images/a/a4/Zenprise_Technical_Presentation_-_Keith_Katz.pdf here]
  
OWASP Tampa Day 2011 - Analysis of Deadly Combination of XSS and CSRF - Sherif Koussa - Presentation Slides [https://www.owasp.org/images/8/8c/OTD2011-SK.pdf here]
+
OWASP Tampa Day 2012 - Federated Identities in the Real World - Nathan Sargent - Presentation Slides [https://www.owasp.org/images/7/78/Federated_Identities_in_the_Real_World_-_Nathan_Sargent.pdf here]
  
2011-Q1 - Real Lessons of Deploying Static Analysis in Development Groups - Jeff LoSapio - Presentation Slides [http://www.owasp.org/images/3/3b/TampaOWASP_March2011.pdf here]
+
OWASP Tampa Day 2012 - Define and Optimize Your Approach to Application Security - Bruce Jenkins - Presentation Slides [https://www.owasp.org/images/8/8a/Define_and_Optimize_Your_Approach_to_Application_Security_-_Bruce_Jenkins.pdf here]
  
2011-Q1 - Intelligence Gathering for Penetration Testers: Opening Doors with Metadata - Chris Patten - Presentation Slides [http://www.owasp.org/images/a/ae/Intel_pen_owasp_Q1_2011.pdf here]
+
OWASP Tampa Day 2012 - Anonymous: Lessons Learned - Bill Church - Presentation Slides [https://www.owasp.org/images/a/a1/Anonymous_-_Lessons_Learned_-_Bill_Church.pdf here]
  
2011-Q1 - Vulnerability Management in an IPv6 World - Richard Newman & Brett McKinney - Presentation Slides [http://www.owasp.org/images/f/fa/Vulnerability_Scanning_in_an_IPv6_World.pdf here]
+
2012-Q1 - Protecting Against SQLi in Real-Time - Stuart Hancock - Presentation Slides [https://www.owasp.org/index.php/File:DBN-OWASP_Presentation.pdf here]
  
2010-Q4 - Nessus Bridge for Metasploit - Zate Berg - Presentation Slides [http://www.scribd.com/doc/41173753/Nessus-Bridge-for-Metasploit here]
+
2011-Q4 - How Not to Build Android Apps - Jack Mannino - Presentation Slides [https://www.owasp.org/images/8/86/HowNotToBuildAndroidApps2.pdf here]
  
2010-Q2 - Stealing Guests...The VMware Way - Justin Morehouse & Tony Flick - Presentation slides [http://www.fyrmassociates.com/pdfs/Stealing_Guests_The_VMware_Way-ShmooCon2010.pdf here]
+
2011-Q4 - Behind Enemy Lines: Practical & Triage Approaches to Mobile Security Abroad - Justin Morehouse - Presentation Slides [http://www.slideshare.net/mascasa/behind-enemy-lines-practical-triage-approaches-to-mobile-security-abroad here]  
  
2010-Q1 - The New World of Smartphone Security - Trevor Hawthorn - Presentation slides [http://www.stratumsec.net/sites/default/files/Stratum%20Security-The%20New%20World%20of%20Smartphone%20Security-Shmoocon%202010.pdf here]
+
2011-Q3 - Hiding in Plain Sight - Ramece Cave - Presentation Slides [https://www.owasp.org/images/2/28/Hiding_in_Plain_Sight.pdf here]  
  
2009-Q3 - Hacking the Smart Grid - Tony Flick - Presentation slides [http://www.owasp.org/images/d/df/HackingTheSmartGrid-OWASP_Tampa.pdf here]
+
2011-Q3 - PCI Compliance 2.0 - Kate Mullin - Presentation Slides [https://www.owasp.org/images/6/67/PCI_Compliance_9_2011.pdf here]  
  
2009-Q2 - Open SAMM - Zate Berg - Presentation slides [https://www.owasp.org/images/c/c3/Software_Assurance_Maturity_Model.pdf here]
+
OWASP Tampa Day 2011 - PCI for Developers: Lessons from the Real World - Trevor Hawthorn - Presentation Slides [https://www.owasp.org/images/f/f7/OTD2011-TH.pdf here]  
  
2009-Q1 - XSS Anonymous Browser - Matt Flick - Presentation slides [https://www.owasp.org/images/b/bb/BlackHat-DC-09-Flick-XAB_Slides.pdf here]
+
OWASP Tampa Day 2011 - Top Website Vulnerabilities: Trends, Business Effects and How to Fight Them - Rinaldi Rampen - Presentation Slides [https://www.owasp.org/images/a/aa/OTD2011-RR.pdf here]  
  
2008-Q4 - Google Code Search : The pitfalls of Copy/Paste - Tony Flick - Presentation slides [https://www.owasp.org/images/5/5b/GoogleCodeSearch.pdf here]
+
OWASP Tampa Day 2011 - How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams - Bruce Jenkins - Presentation Slides [https://www.owasp.org/images/1/12/OTD2011-BJ.pdf here]  
  
[[Category: OWASP Chapter]] [[Category: Florida]]
+
OWASP Tampa Day 2011 - Analysis of Deadly Combination of XSS and CSRF - Sherif Koussa - Presentation Slides [https://www.owasp.org/images/8/8c/OTD2011-SK.pdf here]
 +
 
 +
2011-Q1 - Real Lessons of Deploying Static Analysis in Development Groups - Jeff LoSapio - Presentation Slides [http://www.owasp.org/images/3/3b/TampaOWASP_March2011.pdf here]
 +
 
 +
2011-Q1 - Intelligence Gathering for Penetration Testers: Opening Doors with Metadata - Chris Patten - Presentation Slides [http://www.owasp.org/images/a/ae/Intel_pen_owasp_Q1_2011.pdf here]
 +
 
 +
2011-Q1 - Vulnerability Management in an IPv6 World - Richard Newman &amp; Brett McKinney - Presentation Slides [http://www.owasp.org/images/f/fa/Vulnerability_Scanning_in_an_IPv6_World.pdf here]
 +
 
 +
2010-Q4 - Nessus Bridge for Metasploit - Zate Berg - Presentation Slides [http://www.scribd.com/doc/41173753/Nessus-Bridge-for-Metasploit here]
 +
 
 +
2010-Q2 - Stealing Guests...The VMware Way - Justin Morehouse &amp; Tony Flick - Presentation slides [http://www.fyrmassociates.com/pdfs/Stealing_Guests_The_VMware_Way-ShmooCon2010.pdf here]
 +
 
 +
2010-Q1 - The New World of Smartphone Security - Trevor Hawthorn - Presentation slides [http://www.stratumsec.net/sites/default/files/Stratum%20Security-The%20New%20World%20of%20Smartphone%20Security-Shmoocon%202010.pdf here]
 +
 
 +
2009-Q3 - Hacking the Smart Grid - Tony Flick - Presentation slides [http://www.owasp.org/images/d/df/HackingTheSmartGrid-OWASP_Tampa.pdf here]
 +
 
 +
2009-Q2 - Open SAMM - Zate Berg - Presentation slides [https://www.owasp.org/images/c/c3/Software_Assurance_Maturity_Model.pdf here]
 +
 
 +
2009-Q1 - XSS Anonymous Browser - Matt Flick - Presentation slides [https://www.owasp.org/images/b/bb/BlackHat-DC-09-Flick-XAB_Slides.pdf here]
 +
 
 +
2008-Q4 - Google Code Search&nbsp;: The pitfalls of Copy/Paste - Tony Flick - Presentation slides [https://www.owasp.org/images/5/5b/GoogleCodeSearch.pdf here]
 +
 
 +
[[Category:OWASP_Chapter]] [[Category:Florida]]

Revision as of 11:25, 27 November 2012

Contents

Welcome to the OWASP Tampa Local Chapter

funds to OWASP earmarked for Tampa.

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-tampa

If you have any questions about the Tampa chapter, please send an email to the chapter leader Justin Morehouse.

The Tampa chapter is sponsored by GuidePoint Security.

Join the OWASP Tampa LinkedIn group here.

A reminder that CISSPs can earn 1 CPE credit for every hour of attendance at OWASP meetings.

Next Meeting

Our next meeting will be held on Monday, December 17 from 6 PM to 8 PM. There will be two presentations at this meeting. First, Bryan Orme, VP of Information Assurance at GuidePoint Security will be presenting "How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked)." We are currently looking for one additional speaker to present at the meeting. If you are interested in presenting, please email Justin Morehouse. Presentation abstract and speaker bios are below.

The following is an agenda for our next meeting:

  • 5:45 PM to 6:00 PM - Check-in
  • 6:00 PM to 6:45 PM - First Presentation
  • 6:45 PM to 7:00 PM - Break
  • 7:00 PM to 7:45 PM - Second Presentation
  • 7:45 PM to 8:00 PM - Open Discussion Forum

Please RSVP to Justin Morehouse BEFORE 12/14 to be added to the security list.

How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked)

Abstract

The constant barrage of breaches that we’ve seen over the past several years have made two things very clear—every organization is at risk and every web application is a target. As a security professional, it does not matter whether breaches are brought about by hacktivists such as LulzSec or Anonymous, the acts of criminally minded hackers or nation state sponsored attacks, the consequences of vulnerable web applications can wreak havoc on your company. Attackers are determined, inventive and patient, while your organization’s application portfolio is dynamic, vulnerable and always connected to the Internet. This presentation will discuss why web applications are vulnerable, why they’re under attack, and provide an overview of the most common vulnerabilities found in web applications. Attendees will leave with an understanding of how web applications are attacked, the most common vulnerabilities found in web applications, and how to prevent these vulnerabilities from being identified and exploited in your web applications.

Speaker Bio

Bryan Orme, Vice President, Information Assurance – Bryan has over 12 years of working experience in the information security field, primarily focusing on Security Program Strategy, PCI DSS, Application Security, Vendor Management, and Project Consulting. Before joining GuidePoint, Bryan was the Director of Information Security for Capital One where he built and led the Application Security and PCI DSS Programs and was a member of the Scoping and Encryption Special Interest Groups of the PCI Security Standards Council. He earned a BS from James Madison University and a MBA from the Robert H. Smith School of Business at the University of Maryland and holds QSA, CISSP and CISM certifications.

Meeting Location

Our next meeting will be held at the Kforce building in Ybor. The address is:

1001 East Palm Ave. Tampa, FL 33605

Park in the Visitor spaces in the main parking lot that is off of East Palm Avenue. You will need to identify yourself at the security desk and ask how to get to Training Room B.

Presentation Archives

2012-Q3 - Taming the B.E.A.S.T. - Richard Newman - Presentation Slides here

OWASP Tampa Day 2012 - Changing the Game - Jason Kent - Presentation Slides here

OWASP Tampa Day 2012 - MDM Technical Presentation - Keith Katz - Presentation Slides here

OWASP Tampa Day 2012 - Federated Identities in the Real World - Nathan Sargent - Presentation Slides here

OWASP Tampa Day 2012 - Define and Optimize Your Approach to Application Security - Bruce Jenkins - Presentation Slides here

OWASP Tampa Day 2012 - Anonymous: Lessons Learned - Bill Church - Presentation Slides here

2012-Q1 - Protecting Against SQLi in Real-Time - Stuart Hancock - Presentation Slides here

2011-Q4 - How Not to Build Android Apps - Jack Mannino - Presentation Slides here

2011-Q4 - Behind Enemy Lines: Practical & Triage Approaches to Mobile Security Abroad - Justin Morehouse - Presentation Slides here

2011-Q3 - Hiding in Plain Sight - Ramece Cave - Presentation Slides here

2011-Q3 - PCI Compliance 2.0 - Kate Mullin - Presentation Slides here

OWASP Tampa Day 2011 - PCI for Developers: Lessons from the Real World - Trevor Hawthorn - Presentation Slides here

OWASP Tampa Day 2011 - Top Website Vulnerabilities: Trends, Business Effects and How to Fight Them - Rinaldi Rampen - Presentation Slides here

OWASP Tampa Day 2011 - How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams - Bruce Jenkins - Presentation Slides here

OWASP Tampa Day 2011 - Analysis of Deadly Combination of XSS and CSRF - Sherif Koussa - Presentation Slides here

2011-Q1 - Real Lessons of Deploying Static Analysis in Development Groups - Jeff LoSapio - Presentation Slides here

2011-Q1 - Intelligence Gathering for Penetration Testers: Opening Doors with Metadata - Chris Patten - Presentation Slides here

2011-Q1 - Vulnerability Management in an IPv6 World - Richard Newman & Brett McKinney - Presentation Slides here

2010-Q4 - Nessus Bridge for Metasploit - Zate Berg - Presentation Slides here

2010-Q2 - Stealing Guests...The VMware Way - Justin Morehouse & Tony Flick - Presentation slides here

2010-Q1 - The New World of Smartphone Security - Trevor Hawthorn - Presentation slides here

2009-Q3 - Hacking the Smart Grid - Tony Flick - Presentation slides here

2009-Q2 - Open SAMM - Zate Berg - Presentation slides here

2009-Q1 - XSS Anonymous Browser - Matt Flick - Presentation slides here

2008-Q4 - Google Code Search : The pitfalls of Copy/Paste - Tony Flick - Presentation slides here