Difference between revisions of "Washington DC"

From OWASP
Jump to: navigation, search
(4 intermediate revisions by one user not shown)
Line 2: Line 2:
  
 
=  Welcome =
 
=  Welcome =
 +
 +
  
 
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br>
 
Welcome to the Home Page of the Washington DC OWASP Chapter.<br><br>
 +
  
 
* The chapter Co-Chairs are [mailto:trevor.hawthorn__AT___owasp.org Trevor Hawthorn], and [mailto:rinaldi.rampen__AT__owasp.org Rinaldi Rampen]. Please contact us with any questions about the chapter.
 
* The chapter Co-Chairs are [mailto:trevor.hawthorn__AT___owasp.org Trevor Hawthorn], and [mailto:rinaldi.rampen__AT__owasp.org Rinaldi Rampen]. Please contact us with any questions about the chapter.
 +
 
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.
 
* Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-washington mailing list] for meeting announcements.
 +
 
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]
 
* You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]
 +
 
* Our recent meetings are documented on the News & Meetings tab.
 
* Our recent meetings are documented on the News & Meetings tab.
 +
 
* You can also check out the archives of this page here [[Washington_DC Archives]].
 
* You can also check out the archives of this page here [[Washington_DC Archives]].
 +
 +
  
 
= Meetings & Events =
 
= Meetings & Events =
 +
 
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br><br>
 
Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.<br><br>
  
'''Next Meeting'''
+
'''Next Meeting - HAS BEEN CANCELED'''
  
The next meeting will be on May 16, 2012 at 6:30-7:30pm at LivingSocial's [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] office location on the first floor at the @hungryacademy.
+
The next meeting will be on Thursday, September 27, 2012 from 6:30 PM to 8:30 PM (EDT) at  
  
Please RSVP for the event here: http://owaspdc.eventbrite.com/  
+
'''Location:''' LivingSocial HQ 1445 New York Ave NW Washington, DC (http://goo.gl/maps/PQ1Ad) 2nd Floor, Golf Cart Conference Room
  
'''Speaker''': Rohit Sethi, Vice President, Product Development, SD Elements
+
Please RSVP for the event here: http://owaspdc.eventbrite.com/
  
'''Topic''': Is There An End to Testing Ourselves Secure?
+
'''Speaker:''' Jan Poczobutt, Director of Enterprise ADC & WAF, Barracuda Networks
  
'''Abstract''': Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance.
+
'''Presentation Overview:''' Enterprise data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. Jan Poczobutt, Director of Enterprise ADC & WAF at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.
  
This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC.  Consideration for how Agile development impacts effectiveness will be explored.
+
= Participation =
  
Points of discussion include:
+
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.
  
·        Is static analysis sufficient?
+
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br><br>
  
·        Developer awareness training
+
= Twitter =
  
·        Threat modeling / architecture analysis
+
<!-- Twitter Box --> {|
  
·        Secure requirements
+
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
  
·        Considerations for procured applications
+
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter>
  
'''Bio''': Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.
+
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
  
Register for the meeting at http://owaspdc.eventbrite.com/
+
|}
  
 +
= News & Recent Meetings =
  
= Participation =
+
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br>
  
OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.
+
'''July 2012 Meeting'''
  
If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the [mailto:owasp-washington__AT__lists.owasp.org Mailing List].<br><br>
 
  
= Twitter =
+
'''Topic''': OWASP Top Ten Tools and Tactics
<!-- Twitter Box --> {|
+
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
+
'''You can follow us on Twitter as [http://twitter.com/owaspdc @OWASPDC]''' <twitter>23609877</twitter>
+
  
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
+
'''Abstract''': If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.
|}
+
  
 +
'''Bio''': Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).
  
= News & Recent Meetings =
+
'''8:15-9:15 Speaker''': Kevin Johnson
  
Archives from earlier meetings than contained on this page can be found in the [[Washington_DC Archives]]<br><br>
+
'''Topic''': Ninja Assessments: Stealth Security Testing for Organizations
 +
 
 +
'''Abstract''': Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.
 +
 
 +
'''Bio''': Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.
 +
 
 +
'''May 2012 Meeting'''
 +
 
 +
'''Speaker''': Rohit Sethi, Vice President, Product Development, SD Elements
 +
 
 +
'''Topic''': Is There An End to Testing Ourselves Secure?
 +
 
 +
'''Abstract''': Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process,  thereby either causing project delays or risk acceptance.
 +
 
 +
This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC.  Consideration for how Agile development impacts effectiveness will be explored.
 +
 
 +
Points of discussion include:
 +
 
 +
·        Is static analysis sufficient?
 +
·        Developer awareness training
 +
·        Threat modeling / architecture analysis
 +
·        Secure requirements
 +
·        Considerations for procured applications
 +
 
 +
'''Bio''': Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.
 +
 
 +
Register for the meeting at http://owaspdc.eventbrite.com/
  
 
'''March 2012 Meeting'''
 
'''March 2012 Meeting'''
Line 77: Line 110:
  
 
'''Bio''': Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.
 
'''Bio''': Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.
 
 
  
 
'''December 2011 Meeting'''
 
'''December 2011 Meeting'''
Line 86: Line 117:
 
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br>
 
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br><br>
  
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages  
+
* Please '''[https://www.regonline.com/owaspdcdecember2011 Register]''' for the meeting. This helps us get a head count for food and beverages
 +
 
 
* '''Ken Johnson''' and (maybe) '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''
 
* '''Ken Johnson''' and (maybe) '''Chris Gates''' will speak on the '''New Features in the Web Exploitation Framework (wXf)'''
 +
 
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!
 
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an '''Important Announcement''' for 2012. Don't miss it!
 
  
 
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.
 
'''Location Info''' Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.
 
  
 
'''About our Speakers'''
 
'''About our Speakers'''
Line 105: Line 136:
  
 
::'''Abstract: Updates in wXf''' - Coming Soon<br>
 
::'''Abstract: Updates in wXf''' - Coming Soon<br>
 
 
  
 
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''
 
Our '''September Meeting''' was '''September 29th 6:30pm''' at '''[http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037]'''
 +
 
<br>
 
<br>
  
 
'''Speakers'''<br>
 
'''Speakers'''<br>
 +
 +
  
 
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''
 
* '''John Steven''' will speak on '''Assessing your Assessment Practice'''
 +
 
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''
 
* '''Krystal Moon''' and '''Quang Pham''' will speak on '''DHS Software Assurance Pocket Guides'''
 +
 
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.
 
* '''Doug Wilson''' and '''Mark Bristow''' will update on current and upcoming events.
 +
 +
 +
  
  
 
'''About our Speakers'''
 
'''About our Speakers'''
 +
 +
  
 
:'''John Steven'''
 
:'''John Steven'''
 +
 +
  
 
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
 
::John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
 +
 
<br><br>
 
<br><br>
 +
 
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?
 
::'''Abstract: Assessing your Assessment Practice''' - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?
 +
 +
  
 
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.
 
::In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.
 +
 +
  
 
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.
 
::Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.
 +
 
<br><br>
 
<br><br>
 +
 
:'''Krystal Moon'''
 
:'''Krystal Moon'''
 +
 +
  
 
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.
 
:: Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.
 +
 +
  
 
:'''Quang Pham'''
 
:'''Quang Pham'''
 +
 +
  
 
:: Quang Pham is a Cyber Security Analyst at SRA International, INC.  At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program.  One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide.  Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.
 
:: Quang Pham is a Cyber Security Analyst at SRA International, INC.  At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program.  One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide.  Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.
 +
 
<br><br>
 
<br><br>
 +
 
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.
 
::'''Abstract: Software Assurance Pocket Guides''' - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.
 +
 
   
 
   
 +
 
:::'''Secure Coding'''
 
:::'''Secure Coding'''
 +
 
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.
 
:::Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.
 +
 
   
 
   
 +
 
:::'''Architecture and Design Considerations for Secure Software'''
 
:::'''Architecture and Design Considerations for Secure Software'''
 +
 
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.
 
:::The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.
 +
 +
 +
  
  
 
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
 
Facility Sponsor: <!-- Currently Open -->Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.bluecanopy.com|logo=BlueCanopySponsoLogo.jpg}}<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
 +
 
<br>
 
<br>
 +
 +
 +
  
  
 
'''August 2011 Meeting'''
 
'''August 2011 Meeting'''
 +
 +
  
 
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.
 
Our next meeting is August 24th at [http://maps.google.com/maps?q=1445+New+York+Avenue+Northwest,+Washington+D.C.,+DC&hl=en&sll=37.0625,-95.677068&sspn=44.204685,93.076172&z=16 1445 New York Ave NW] (Living Social) in Washington DC.
 +
 
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.
 
Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.
 +
 
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br>
 
This location is very close to both the McPherson Square and Metro Center WMATA train stations.<br>
 +
 
<br>
 
<br>
 +
 
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.
 
* Please '''[http://www.regonline.com/Register/Checkin.aspx?EventID=1003187 REGISTER HERE]''' if you are going to attend so we have an accurate head count.
 +
 
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''
 
* Julian Cohen will speak on '''Cross-Origin Resource Inclusion in HTML5'''
 +
 
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 +
 +
 +
  
  
 
'''About our Speaker'''
 
'''About our Speaker'''
 +
 +
  
 
:'''Julian Cohen'''
 
:'''Julian Cohen'''
 +
 +
  
 
::Julian is a security researcher from New York City.  When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques.  He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.
 
::Julian is a security researcher from New York City.  When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques.  He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.
 +
 +
  
 
::Julian runs NYU Poly's world-renowned CSAW CTF competition.  In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.
 
::Julian runs NYU Poly's world-renowned CSAW CTF competition.  In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.
 +
 +
  
 
:'''Abstract'''
 
:'''Abstract'''
 +
 +
  
 
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects.  This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable.  Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited.  An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.
 
::'''Cross-Origin Resource Inclusion in HTML5''' - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects.  This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable.  Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited.  An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.
 +
 +
  
 
<br>
 
<br>
 +
 
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]
 
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;[http://www.stratumsecurity.com Stratum Security]
 +
 
<br><br><br><br><br>
 
<br><br><br><br><br>
 +
 +
  
 
'''July 2011 Meeting'''
 
'''July 2011 Meeting'''
 +
 +
  
 
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')
 
Our next meeting is July 21st 6:00pm [http://maps.google.com/maps?q=2445+M+Street+NW+Washington,+District+of+Columbia+20037+United+States&oe=utf-8 2445 M Street NW Washington, DC 20037] ('''*NOTE NEW LOCATION*''')
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here]  
+
 
 +
* Please [http://www.regonline.com/Register/Checkin.aspx?EventID=989237 Register Here]
 +
 
 
* Jack Mannino will speak on '''Building Secure Android Applications'''
 
* Jack Mannino will speak on '''Building Secure Android Applications'''
 +
 
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 
* Doug Wilson & Mark Bristow will update on current and upcoming events.
 +
 +
 +
  
  
 
'''NEW LOCATION'''  Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room
 
'''NEW LOCATION'''  Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room
 +
 +
 +
  
  
 
'''About our Speakers'''
 
'''About our Speakers'''
 +
 +
  
 
:'''Jack Mannino'''
 
:'''Jack Mannino'''
 +
 +
  
 
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
 
::Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.
 +
 +
  
 
:'''Abstract'''
 
:'''Abstract'''
 +
 +
  
 
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
 
::'''Building Secure Android Applications''' - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.
 +
 +
  
 
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
 
::This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.
 +
 +
  
 
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
 
::Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.
 +
 +
  
 
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.
 
::At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.
 +
 +
  
 
<br>
 
<br>
 +
 
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}
 
Facility Sponsor: Anonymous&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}}
 +
 
<br><br><br><br><br>
 
<br><br><br><br><br>
 +
 +
  
 
'''March 2010 Meeting'''
 
'''March 2010 Meeting'''
 +
 +
  
 
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
 
* Our next meeting will be [http://upcoming.yahoo.com/event/5617790/DC/Washington/OWASP-DC-March-Meeting/GWU-Phillips-Hall/ March 24th at 6:30 PM, at 801 22nd Street NW, Room B149] on the GWU campus in Washington DC (*NOTE NEW LOCATION*)
 +
 
* Jeff Ennis from Veracode will be presenting on Application Risk Management
 
* Jeff Ennis from Veracode will be presenting on Application Risk Management
 +
 
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
 
* Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
 +
 
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
 
* Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
 +
 
* Doug Wilson will update on plans for future meetings and upcoming events.
 
* Doug Wilson will update on plans for future meetings and upcoming events.
 +
 +
  
 
'''About our Speakers'''
 
'''About our Speakers'''
 +
 +
  
 
'''Jeff Ennis'''
 
'''Jeff Ennis'''
  
:Jeff Ennis is a Solutions Architect for Veracode, Inc.  He has more than 20 years experience in information technology.  He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as  they dealt with an ever-changing threat landscape..  Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.  
+
 
 +
 
 +
:Jeff Ennis is a Solutions Architect for Veracode, Inc.  He has more than 20 years experience in information technology.  He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as  they dealt with an ever-changing threat landscape..  Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.
 +
 
 +
 
  
 
:'''Abstract'''
 
:'''Abstract'''
 +
 +
  
 
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product.  The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software.  Ensuring that these entities are creating secure software is becoming a daunting task.  Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application.  During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.
 
:'''Application Risk Management''' - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product.  The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software.  Ensuring that these entities are creating secure software is becoming a daunting task.  Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application.  During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.
 +
 +
  
 
'''Dan Philpott'''
 
'''Dan Philpott'''
 +
 +
  
 
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.
 
:Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.
 +
 +
  
 
'''Chuck Willis'''
 
'''Chuck Willis'''
 +
 +
  
 
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.
 
:Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.
 +
 +
  
 
'''December 2009 Meeting'''
 
'''December 2009 Meeting'''
 +
 +
  
 
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 
* Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
 +
 
* We will be recapping and discussing AppSecDC and the OWASP Summit
 
* We will be recapping and discussing AppSecDC and the OWASP Summit
 +
 
* We will discuss other recent events such as the DHS Software Assurance Forum Conference
 
* We will discuss other recent events such as the DHS Software Assurance Forum Conference
 +
 
* We will be talking about the coming year and upcoming events
 
* We will be talking about the coming year and upcoming events
 +
 
* We will open up the floor for discussion of current events or concerns.
 
* We will open up the floor for discussion of current events or concerns.
 +
 +
  
 
'''Addition to Agenda'''
 
'''Addition to Agenda'''
 +
 +
  
 
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
 
Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
 +
 +
  
 
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.
 
After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.
 +
 +
  
 
'''September 2009 Meeting'''
 
'''September 2009 Meeting'''
 +
 +
  
 
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 
* The meeting was held at [http://upcoming.yahoo.com/event/4344425/ September 2nd at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 +
 
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
 
* Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
 +
 
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.
 
* Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.
 +
 +
 +
  
  
 
'''XAB -- The Abstract:'''
 
'''XAB -- The Abstract:'''
 +
 +
  
 
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.
 
Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.
 +
 +
  
 
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.
 
XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.
 +
 +
  
 
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.
 
During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.
 +
 +
 +
  
  
 
'''About our speakers:'''
 
'''About our speakers:'''
 +
 +
  
 
'''Matthew Flick, Principal'''
 
'''Matthew Flick, Principal'''
 +
 
'''FYRM Associates'''
 
'''FYRM Associates'''
 +
 +
  
 
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.
 
Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.
 +
 +
  
 
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.
 
Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.
 +
 +
  
 
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.
 
Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.
 +
 +
 +
  
  
 
'''Jeff Yestrumskas'''
 
'''Jeff Yestrumskas'''
 +
 
'''Sr. Manager InfoSec @ Cvent'''
 
'''Sr. Manager InfoSec @ Cvent'''
 +
 +
  
 
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.
 
Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.
 +
 +
 +
 +
  
  
  
 
'''August 2009 Meeting'''
 
'''August 2009 Meeting'''
 +
 +
  
 
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 
*The meeting was held at [http://upcoming.yahoo.com/event/4129351/ August 5th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC]
 +
 
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World
 
*'''Dan Cornell''' of the Denim Group spoke on Vulnerability Management in an Application Security World
 +
 
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.
 
*'''Mike Smith''' of Deloitte spoke on SCAP and how it can relate to web application security.
 +
 
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]
 
*'''Doug Wilson''' gave an update on [[OWASP_AppSec_DC_2009 | AppSecDC 2009]]
 +
 +
  
 
About our speakers:
 
About our speakers:
 +
 +
  
 
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
 
:'''Dan Cornell''' has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
 +
 
   
 
   
 +
 
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
 
:Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
 +
 +
  
 
:'''Vulnerability Management in an Application Security World'''
 
:'''Vulnerability Management in an Application Security World'''
 +
 +
  
 
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 
:This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 +
 +
 +
  
  
 
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
 
:'''Michael Smith''' is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.
 +
 +
  
 
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.
 
:SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.
 +
 +
 +
  
  
 
'''April Meeting Debrief'''
 
'''April Meeting Debrief'''
 +
 +
  
 
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.
 
We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.
 +
 +
  
 
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.
 
Our big announcement of the meeting was that we are kicking off the [[OWASP_AppSec_US_2009_-_Washington_DC| Call for Papers for AppSec DC 2009]], slated for November 10-13 at the DC Convention Center.
 +
 +
  
 
We'd also like to thank:
 
We'd also like to thank:
 +
 
* George Washington University and their great staff for the meeting space and A/V support
 
* George Washington University and their great staff for the meeting space and A/V support
 +
 
* Securicon and Mark Bristow for arranging refreshements.
 
* Securicon and Mark Bristow for arranging refreshements.
 +
 +
  
 
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!
 
We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our [https://lists.owasp.org/mailman/listinfo/appsec_us_09 mailing list]!
 +
 +
 +
  
  
 
'''April 22nd 6:30 PM OWASP Meeting, Washington DC
 
'''April 22nd 6:30 PM OWASP Meeting, Washington DC
 +
 +
  
 
This month we will be holding our meeting at The George Washington University in downtown DC.
 
This month we will be holding our meeting at The George Washington University in downtown DC.
 +
 +
  
 
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 
The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 +
 +
  
 
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].
 
This month, we will have Jon Rose speaking about Flash Remoting and [http://deblaze-tool.appspot.com/ Deblaze].
 +
 +
  
 
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote>
 
<blockquote>Deblaze - A remote method enumeration tool for flex servers.</blockquote>
 +
 +
  
 
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications.  Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote>
 
<blockquote>Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications.  Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.</blockquote>
 +
 +
  
 
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote>
 
<blockquote>This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.</blockquote>
 +
 +
  
 
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote>
 
<blockquote>The latest version can be found at [http://deblaze-tool.appspot.com deblaze-tool.appspot.com]</blockquote>
 +
 +
  
 
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.
 
Doug Wilson will also discuss the recent [http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009 OWASP Software Assurance Day] that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.
 +
 +
  
 
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.
 
We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.
 +
 +
  
 
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]
 
You can RSVP for the event on [http://upcoming.yahoo.com/event/2385625/ Upcoming.org]
 +
 +
 +
  
  
 
''Note on Transportation and Parking''
 
''Note on Transportation and Parking''
 +
 +
  
 
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
 
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
  
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.  
+
 
 +
 
 +
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
 +
 
 +
 
 +
 
 +
 
  
  
  
 
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''
 
'''February 5th 6:30 PM OWASP Meeting, Washington DC'''
 +
 +
  
 
This month we will be holding our meeting at The George Washington University in downtown DC.
 
This month we will be holding our meeting at The George Washington University in downtown DC.
 +
 +
  
 
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 
The meeting is in Duques Hall, Room 553, which is located at [http://maps.google.com/maps?hl=en&q=2201+G+St.+NW+Washington,+DC+20037 2201 G St. NW Washington, DC 20037]
 +
 +
  
 
This month's agenda:
 
This month's agenda:
 +
 +
  
 
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
 
* 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
 +
 
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
 
* 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
 +
 
* 7:45 - 8:00 Break
 
* 7:45 - 8:00 Break
 +
 
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra
 
* 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra
 +
 +
  
 
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008
 
You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008
 +
 +
 +
  
  
 
''Note on Transportation and Parking''
 
''Note on Transportation and Parking''
 +
 +
  
 
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
 
Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center
 +
 +
  
 
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
 
The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.
 +
 +
 +
  
  
 
'''December Meeting Debrief'''
 
'''December Meeting Debrief'''
 +
 +
  
 
I'd like to take this opportunity to once again thank Kevin for coming
 
I'd like to take this opportunity to once again thank Kevin for coming
 +
 
out to talk to us at the meeting Wednesday.  I thought his
 
out to talk to us at the meeting Wednesday.  I thought his
 +
 
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly
 
presentation on Samurai, Yokoso!, Laudanum, and Social butterfly
 +
 
demonstrated some of the great up and coming tools that are available
 
demonstrated some of the great up and coming tools that are available
 +
 
to the community.  As promised, I uploaded the PDF of the presentation
 
to the community.  As promised, I uploaded the PDF of the presentation
 +
 
to the Wiki, but the slides don't do the commentary justice.  It can
 
to the Wiki, but the slides don't do the commentary justice.  It can
 +
 
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].
 
be found [https://www.owasp.org/index.php/Image:OWASP_DC_--_Web_Attack_Tools.pdf here].
 +
 +
  
 
We also took care of some housekeeping stuff:
 
We also took care of some housekeeping stuff:
 +
 
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library.  Everyone remember to thank Amy for offering up GW's meeting spaces to us.
 
* We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library.  Everyone remember to thank Amy for offering up GW's meeting spaces to us.
 +
 
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09.  More details will come out as we firm up dates/speakers/locations and calls for volunteers!
 
* The OWASP DC Chapter will be hosting [https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC OWASP AppSec 2009] sometime in October 09.  More details will come out as we firm up dates/speakers/locations and calls for volunteers!
* Rex talked for a few minutes about the Portugal Summit.  The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]  
+
 
 +
* Rex talked for a few minutes about the Portugal Summit.  The debrief from the summit can be found [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 here]
 +
 
 
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].
 
* Our next chapter meeting will be held in Feburary, topics TBD but we are [mailto:mark.bristow__AT___owasp.org soliciting speakers].
 +
 +
  
 
To those who attended the meeting on Wednesday, thanks for coming out,
 
To those who attended the meeting on Wednesday, thanks for coming out,
 +
 
we had a great turnout and I hope to have even more attendees next
 
we had a great turnout and I hope to have even more attendees next
 +
 
time.  For those who were unable to attend, I hope to see you all at
 
time.  For those who were unable to attend, I hope to see you all at
 +
 
our next meeting.
 
our next meeting.
 +
 +
 +
  
  
 
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
 
'''December 10th 6:30pm OWASP Meeting, Washington DC'''
 +
 +
  
 
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 +
 +
  
 
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 +
 +
  
 
This month's agenda is as follows:
 
This month's agenda is as follows:
 +
 +
  
 
* Presentation by Kevin Johnson, InGuardians
 
* Presentation by Kevin Johnson, InGuardians
 +
 
* Round table Discussion of Portugal Summit
 
* Round table Discussion of Portugal Summit
 +
 
* Open discussion
 
* Open discussion
 +
 +
  
 
Kevin Johnson is a Senior Security Analyst with InGuardians.  Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.
 
Kevin Johnson is a Senior Security Analyst with InGuardians.  Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.
 +
 +
  
 
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.
 
Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.
 +
 +
  
 
You can RSVP to the event on Upcoming.org:
 
You can RSVP to the event on Upcoming.org:
 +
 
http://upcoming.yahoo.com/event/1334575
 
http://upcoming.yahoo.com/event/1334575
 +
 +
  
  
 
'''October 15th 6:30pm OWASP Meeting, Washington DC'''
 
'''October 15th 6:30pm OWASP Meeting, Washington DC'''
 +
 +
  
 
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 
This month we will be holding our meeting at the DC offices of [http://www.deloitte.com/ Deloitte & Touche] ([http://maps.google.com/maps?f=q&hl=en&geocode=&q=1001+G+ST+NW+washington+dc 1001 G St NW Washington DC 20001]).
 +
 +
  
 
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
 +
 +
  
 
This month's agenda is as follows:
 
This month's agenda is as follows:
 +
 +
  
 
* Adam Vincent, Hacking and Hardening Web Services
 
* Adam Vincent, Hacking and Hardening Web Services
 +
 
* Doug Wilson, Report on AppSec NYC 2008
 
* Doug Wilson, Report on AppSec NYC 2008
 +
 
* Open discussion
 
* Open discussion
 +
 +
  
 
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.
 
Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.
 +
 +
  
 
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
 
Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.
 +
 +
 +
 +
  
  
  
 
= History =
 
= History =
 +
 +
  
 
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.
 
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams(at)owasp.org Jeff Williams] and has had members from Virginia to Delaware.
 +
 +
  
 
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.
 
In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.
 +
 +
  
 
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.
 
In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.
 +
 +
  
 
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.
 
The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.
  
  
<headertabs />  
+
 
 +
 
 +
 
 +
<headertabs />
 +
 
 
<br>
 
<br>
 +
 
<br>
 
<br>
 +
 
<br>
 
<br>
 +
 
<paypal>Washington DC</paypal>
 
<paypal>Washington DC</paypal>
 +
 
<br>
 
<br>
 +
 
<br>
 
<br>
 +
 
September Meeting:<br>
 
September Meeting:<br>
 +
 
<br>
 
<br>
 +
 
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
 
Facility Sponsor: [http://www.livingsocial.com Living Social]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Refreshment Sponsor: Still Open!<!-- {{MemberLinks|link=http://www.securicon.com|logo=Securicon.gif}} -->
 +
 
<br>
 
<br>
 +
 
<br>
 
<br>
 +
 +
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 +
 
[[Category:Washington, DC]]
 
[[Category:Washington, DC]]
 +
 
[[Category:Maryland]]
 
[[Category:Maryland]]

Revision as of 19:37, 26 September 2012


[edit]

Welcome to the Home Page of the Washington DC OWASP Chapter.


  • Please subscribe to the mailing list for meeting announcements.
  • You can follow us on Twitter as @OWASPDC
  • Our recent meetings are documented on the News & Meetings tab.


Chapter meetings are held several times a year, typically at a location provided by our current facility sponsor.

Next Meeting - HAS BEEN CANCELED

The next meeting will be on Thursday, September 27, 2012 from 6:30 PM to 8:30 PM (EDT) at

Location: LivingSocial HQ 1445 New York Ave NW Washington, DC (http://goo.gl/maps/PQ1Ad) 2nd Floor, Golf Cart Conference Room

Please RSVP for the event here: http://owaspdc.eventbrite.com/

Speaker: Jan Poczobutt, Director of Enterprise ADC & WAF, Barracuda Networks

Presentation Overview: Enterprise data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. Jan Poczobutt, Director of Enterprise ADC & WAF at Barracuda Networks, will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.

OWASP Local Chapter meetings are free and open. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics.

If you would like to make a presentation, or have any questions about the DC Chapter, send an email to one of the chapter co-chairs or the Mailing List.

You can follow us on Twitter as @OWASPDC

Archives from earlier meetings than contained on this page can be found in the Washington_DC Archives

July 2012 Meeting


Topic: OWASP Top Ten Tools and Tactics

Abstract: If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.

Bio: Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).

8:15-9:15 Speaker: Kevin Johnson

Topic: Ninja Assessments: Stealth Security Testing for Organizations

Abstract: Organizations today need to be able to easily integrate security testing within their existing processes. In this talk, Kevin Johnson of Secure Ideas will explore various techniques and tools to help organizations assess the security of the web applications. These techniques are designed to be implemented easily and with little impact on the work load of the staff.

Bio: Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.

May 2012 Meeting

Speaker: Rohit Sethi, Vice President, Product Development, SD Elements

Topic: Is There An End to Testing Ourselves Secure?

Abstract: Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance.

This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.

Points of discussion include:

· Is static analysis sufficient? · Developer awareness training · Threat modeling / architecture analysis · Secure requirements · Considerations for procured applications

Bio: Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

Register for the meeting at http://owaspdc.eventbrite.com/

March 2012 Meeting

March 15th at 6:30-7:30pm at LivingSocial's 1445 New York Ave NW office location on the first floor at the @hungryacademy.

Please RSVP for the event here: http://owaspdc.eventbrite.com/

Speaker: Alissa Torres

Topic: Application Footprinting

Abstract: Application footprinting is a great skill for forensic examiners (and anyone interested in binary research) because it allows you to marry artifacts in the registry/file creation/time/date stamps with specific applications or user initiated events. Eventually, during the course of an investigation, an examiner is going to run into a "new" problem - one that hasn't previously been experienced/researched by others in the field. Application footprinting is a simple method that examines the interaction of a program with the operating system. The process of footprinting will determine if the application was installed on the system being investigated, what trace evidence exists and how that can be mined. This presentation will include a demo of Active Registry Monitor and its use in tracking changes made to the Windows Registry by an open source ssh client.

Bio: Alissa Torres currently works as a security researcher for KEYW Corporation in Maryland and has 10 years technical expertise in the information technology field. Previously, she was a digital forensic investigator on a government contractor security team. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s from University of Maryland in Information Technology. Alissa taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), teaching incident response and network basics to security professionals entering the forensics community. In addition, she has presented at various industry conferences and currently holds the following industry certifications: GCFA, CISSP, EnCE.

December 2011 Meeting

The December 21st meeting was held at 1445 New York Ave NW (Living Social) in Washington DC.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.

  • Please Register for the meeting. This helps us get a head count for food and beverages
  • Ken Johnson and (maybe) Chris Gates will speak on the New Features in the Web Exploitation Framework (wXf)
  • Doug Wilson and Mark Bristow will update on current and upcoming events, including AppSecDC 2012 and chapter plans for the next year, including an Important Announcement for 2012. Don't miss it!

Location Info Please come up to the second floor, we'll just be meeting in the room off the Living Social kitchen area.

About our Speakers

Ken Johnson
Ken Johnson is a Senior Security Architect for LivingSocial.com responsible for securing mobile applications, web services and web applications. Additionally he is the primary developer of the Web Exploitation Framework (wXf) and contributes to several open source security projects. He lives in Northern Virginia with his lovely wife Tracy and spends his weekends either stuffing his face with Sushi or getting demolished in Call of Duty

Chris Gates
TBD

Abstract: Updates in wXf - Coming Soon

Our September Meeting was September 29th 6:30pm at 2445 M Street NW Washington, DC 20037


Speakers


  • John Steven will speak on Assessing your Assessment Practice
  • Krystal Moon and Quang Pham will speak on DHS Software Assurance Pocket Guides
  • Doug Wilson and Mark Bristow will update on current and upcoming events.



About our Speakers


John Steven


John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.



Abstract: Assessing your Assessment Practice - Years ago, organizations embraced Penetration Testing to find vulnerabilities in their applications. Later, vulnerabilities remained and many added a Source Code Review practice, often supported by commercial tooling. Others possess "Holistic Assessment" schemes which combine techniques in hopes of finding an even broader range of vulnerabilities their applications may possess.Years into what most consider maturation, organizations continue to let crippling vulnerability into production despite costly assessment. What's going on?


In this presentation, we'll consider assessment practices of various shapes and sizes focusing on particularly interesting Fortune 100 companies (assessing 300-1000 apps / year) as well as the single-man-shop. We'll discuss assessment coverage (code and vulnerability), cost, and measures of remediation.


Next, we'll discuss what methodological, tool-based, measurement, and other techniques can dramatically improve cost, coverage, or successful remediation in your assessment practice.



Krystal Moon


Krystal Moon is a Cyber Security Analyst at SRA International, Inc. She currently supports the Department of Homeland Security Software Assurance Program where one of her tasks is co-authoring the Secure Coding Pocket Guide. Previously, she provided certification and accreditation support for various government agencies. She completed her Bachelor of Science in IT with a concentration in Information Security and Master of Science in Applied IT at George Mason Univeristy.


Quang Pham


Quang Pham is a Cyber Security Analyst at SRA International, INC. At SRA, Quang is supporting the Department of Homeland Security’s Software Assurance (SwA) program. One of his roles in the support of the SwA program is to co-author the “Architecture and Design Considerations for Secure Software” Pocket Guide and the “Requirements and Analysis for Secure Software” Pocket Guide. Quang has a Bachelor’s in Computer Engineering and Electrical Engineering at Penn State and has been at SRA for 9 months.



Abstract: Software Assurance Pocket Guides - The Software Assurance (SwA) Pocket Guide Series comprises free, downloadable documents on software assurance in acquisition and outsourcing, software assurance in development, the software assurance life cycle, and software assurance measurement and information needs. SwA Pocket Guides are developed collaboratively by the SwA Forum and Working Groups, which function as a stakeholder community that welcomes additional participation in advancing and refining software security. The Pocket Guides are offered as informative use only and a good starting point for the relevant practices.


Secure Coding
Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.


Architecture and Design Considerations for Secure Software
The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.



Facility Sponsor: Anonymous      Refreshment Sponsor: BlueCanopySponsoLogo.jpg       




August 2011 Meeting


Our next meeting is August 24th at 1445 New York Ave NW (Living Social) in Washington DC.

Refreshments will be served starting at 6:30 PM, with the presentation starting around 7.

This location is very close to both the McPherson Square and Metro Center WMATA train stations.


  • Please REGISTER HERE if you are going to attend so we have an accurate head count.
  • Julian Cohen will speak on Cross-Origin Resource Inclusion in HTML5
  • Doug Wilson & Mark Bristow will update on current and upcoming events.



About our Speaker


Julian Cohen


Julian is a security researcher from New York City. When he isn't explaining different vulnerability classes to developers, Julian spends his time finding bugs and studying exploitation techniques. He has previously done information security work for two consulting companies, a defense contractor, a public utility and a handful of web startups, but he still hasn't found the job he's really looking for.


Julian runs NYU Poly's world-renowned CSAW CTF competition. In his downtime, Julian writes technical articles for a number of security blogs and participates in CTF competitions around the world.


Abstract


Cross-Origin Resource Inclusion in HTML5 - Cross-Origin Resource Inclusion is an HTML5 vulnerability that takes advantage of Cross-Origin Resource Sharing to bypass Same-Site Origin Policy with XMLHttpRequest objects. This talk will cover Web 2.0 application design trends that allow for this vulnerability to be exploitable. Basic concepts that are necessary for Cross-Origin Resource Sharing to exist will be covered throughly and w3c specifications will be cited. An example web application will be used to demonstrate how this functionality is used today, how it can be implemented improperly (and properly) and how it can be exploited by a malicious attacker.



Facility Sponsor: Living Social      Refreshment Sponsor: Living Social  Stratum Security







July 2011 Meeting


Our next meeting is July 21st 6:00pm 2445 M Street NW Washington, DC 20037 (*NOTE NEW LOCATION*)

  • Jack Mannino will speak on Building Secure Android Applications
  • Doug Wilson & Mark Bristow will update on current and upcoming events.



NEW LOCATION Folks will need to come up to the 8th floor, when they get off the elevator, walk towards the concierge, then make a left and walk towards the university room



About our Speakers


Jack Mannino


Jack Mannino is the CEO of nVisium Security, an application security services firm located within the Washington DC area. At nVisium, he provides mobile and web application security services including source code reviews, penetration testing, threat modeling, and training. He is the co-leader and founder of the OWASP Mobile Security Project, which is a global initiative to improve the state of security in the mobile industry. Jack also serves as a board member for the OWASP Northern Virginia chapter.


Abstract


Building Secure Android Applications - Mobile platforms are gaining momentum as an attacker's favorite new playground. We are seeing huge increases in mobile malware, mobile exploits, and the ever common insecure mobile applications themselves. Mature development shops and startups alike are releasing new applications at the speed of light. Like many other rapidly booming markets, technical innovation is far outpacing the adoption of security best-practices. This is a problem we must solve sooner than later.


This presentation will highlight many of the new security and privacy challenges developers, organizations, and consumers must be aware of. Android will be our target of interest during this presentation. A threat model for the Android platform will be presented, identifying the various layers where risks are introduced. We will discuss the top mobile security risks and the security controls used to mitigate them using guidance provided by the OWASP Mobile Security Project.


Expect a ton of code samples and live remediation of vulnerabilities. The OWASP GoatDroid project will be used to demonstrate various Android application security flaws. GoatDroid is a fully featured training environment for exploring the attack surface of Android apps. It is highly extendable, and includes several robust RESTful web services.


At the end of this presentation, attendees will understand how to identify Android risks, how to build secure applications for the Android platform, and will be exposed to the current initiatives within the Mobile Security Project.



Facility Sponsor: Anonymous      Refreshment Sponsor: Securicon.gif       







March 2010 Meeting


  • Jeff Ennis from Veracode will be presenting on Application Risk Management
  • Dan Philpott will be briefing on the upcoming NIST SP covering Web Application Security
  • Chuck Willis will be giving an update on the OWASP BWA project and releasing and update to BWA
  • Doug Wilson will update on plans for future meetings and upcoming events.


About our Speakers


Jeff Ennis


Jeff Ennis is a Solutions Architect for Veracode, Inc. He has more than 20 years experience in information technology. He recently served as Security Solutions Manager for the Federal Division of IBM Internet Security Systems, where he and his team of security architects assisted DoD, Civilian, and Intel agencies with addressing their security requirements as they dealt with an ever-changing threat landscape.. Throughout his career he has represented both the end user and vendor communities, including Nortel Networks, UUNET, and Lockheed Martin.


Abstract


Application Risk Management - Application vulnerabilities are steeply on the rise. At $350 billion per year software is the largest manufacturing industry in the world yet there are no uniform standards or insight into security, risk or liability of the final product. The development environment is becoming increasingly complex – application origin ranges from internally developed code, outsourced, 3rd party, Open Source, and Commercial Off the Shelf software. Ensuring that these entities are creating secure software is becoming a daunting task. Lots of emphasis is placed on IT controls, patching, etc, but the new attack vector is your application. During this presentation we will recap the state of software security today, discuss some initiatives which are requiring application risk management, and provide suggestions on how you can begin managing the application risk at your organization.


Dan Philpott


Dan is the maintainer of fismapedia.org, and a recognized expert in IT standards and policy in the DC Metro Area. Dan routinely helps review and contribute to NIST SP and Report documents.


Chuck Willis


Chuck is a Technical Director with MANDIANT, and the founder of the OWASP Broken Web Application Project (OWASP BWA). Chuck has presented on the OWASP BWA at AppSecDC 2009 and at DoD Cyber Crime 2010, and will be releasing an updated version of OWASP BWA at this meeting.


December 2009 Meeting


  • Our next meeting will be December 9th at 6:30 PM, at Duques Hall (Room 553D) on the GWU campus in Washington DC
  • We will be recapping and discussing AppSecDC and the OWASP Summit
  • We will discuss other recent events such as the DHS Software Assurance Forum Conference
  • We will be talking about the coming year and upcoming events
  • We will open up the floor for discussion of current events or concerns.


Addition to Agenda


Dan Philpott and several others in and around OWASP DC are working on an OWASP effort to contribute to the NIST draft standard 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.


After our normal meeting agenda, I am going to turn the space over to Dan, so that he can explain what he and his group are up to, and hold a brief discussion in our space. Any and all who are interested in this process or contributing to government security policy are welcome to stick around and observe or contribute.


September 2009 Meeting


  • Matthew Flick and Jeff Yestrumskas will give an encore of their talk on the Cross-Site Scripting Anonymous Browsers (XAB) that they have previously presented at Black Hat and at Defcon.
  • Doug Wilson talking about the recent launch of the AppSec DC 2009 website, and what's going on with the conference.



XAB -- The Abstract:


Earlier this year, the Cross-site Scripting Anonymous Browser (“XAB”) was presented at Black Hat DC as a new perspective on how we could extend the functionality of browser technologies, form dynamic botnets for browsing, and create an unpronounceable acronym all at once. We continued the madness with a second incarnation of the XAB framework at Defcon in August.


XAB hasn't really revolutionized attacks or defenses in it's short lifespan, nor is it great at factoring primes. However, it has opened minds by demonstrating an interesting way to combine unlike ideas and creating a new animal all of it's own. Think of it as forced social networking, without ever really knowing who you're talking to, or what they're saying.


During this presentation, we will explain the origins of the concept, provide a brief review of the technologies, pour over the trials and tribulations of the enhancements and additions of the past 6 months, provide a live demonstration of the improvements, and continue the conversation about the future of the framework.



About our speakers:


Matthew Flick, Principal

FYRM Associates


Matt has more than seven years of professional experience in information assurance focusing in network and application security, assessments, and compliance. He has assessed and helped develop information assurance programs for commercial clients in several industries as well as several Federal agencies.


Matt leads the Information Assurance team at FYRM Associates in delivering consulting services in the areas of application security, assessments, network and wireless security, and security program development. He has performed assessments of many in-house and commercial/third party developed applications, wired and wireless network infrastructures, and complex corporate environments. His primary area of expertise is in application security, which drives much of the focus of FYRM's Information Assurance research and development.


Matt’s other areas of expertise include computer programming, cryptology, and compliance with Federal standards and regulatory compliance, such as FISMA, HIPAA, Sarbanes-Oxley, and PCI-DSS.



Jeff Yestrumskas

Sr. Manager InfoSec @ Cvent


Jeff Yestrumskas is in charge of information security for an international application service provider, but still enjoys getting his hands dirty. His professional background spanning over a decade includes forensics, leading penetration tests, application security services and teaching others to do the same.




August 2009 Meeting


  • Dan Cornell of the Denim Group spoke on Vulnerability Management in an Application Security World
  • Mike Smith of Deloitte spoke on SCAP and how it can relate to web application security.


About our speakers:


Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.


Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.


Vulnerability Management in an Application Security World


This presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.



Michael Smith is a manager in Deloitte's Security and Privacy Practice. His current engagement is as an Information System Security Officer working with a government agency integrating embedded devices with a web application command and control system. He blogs at http://www.guerilla-ciso.com/ and covers security management, public policy, regulations and laws, and technical solutions.


SCAP is the Security Content Automation Protocol, a set of XML schemas designed to automate information security flows between vulnerability, patch management, and data center automation tools. Michael will be giving us an introduction to SCAP and its applicability to web application security with a call to action to make web application security products and processes compatible with SCAP.



April Meeting Debrief


We'd like to thank Jon Rose for speaking, and showing us his Deblaze tool in action. His presentation will be up on the wiki shortly. If you want it before then, please email doug.wilson AT owasp for a copy.


Our big announcement of the meeting was that we are kicking off the Call for Papers for AppSec DC 2009, slated for November 10-13 at the DC Convention Center.


We'd also like to thank:

  • George Washington University and their great staff for the meeting space and A/V support
  • Securicon and Mark Bristow for arranging refreshements.


We hope to announce something about our next meeting soon, and if you want to volunteer for the conference, join our mailing list!



April 22nd 6:30 PM OWASP Meeting, Washington DC


This month we will be holding our meeting at The George Washington University in downtown DC.


The meeting will be held in Room 650 D on the 6th floor of Duques Hall at the George Washington University at 2201 G St. NW Washington, DC 20037


This month, we will have Jon Rose speaking about Flash Remoting and Deblaze.


Deblaze - A remote method enumeration tool for flex servers.


Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze was developed in order to perform method enumeration and interrogation against flash remoting end points.


This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.


The latest version can be found at deblaze-tool.appspot.com


Doug Wilson will also discuss the recent OWASP Software Assurance Day that took place at Mitre in March, and discuss some of the recent milestones that OWASP has hit with maturing and evolving projects.


We will also have a few copies of the new OWASP Live CD to hand out, first come, first serve.


You can RSVP for the event on Upcoming.org



Note on Transportation and Parking


Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center


The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.




February 5th 6:30 PM OWASP Meeting, Washington DC


This month we will be holding our meeting at The George Washington University in downtown DC.


The meeting is in Duques Hall, Room 553, which is located at 2201 G St. NW Washington, DC 20037


This month's agenda:


  • 6:30 - 6:45 Introductions and OWASP Business - Mark Bristow
  • 6:45 - 7:45 WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity - Ryan Barnett
  • 7:45 - 8:00 Break
  • 8:00 - 9:00 Software Assurance Maturity Model (SAMM) - Pravir Chandra


You can RSVP for the event on Upcoming.org: http://upcoming.yahoo.com/event/1494008



Note on Transportation and Parking


Parking on campus is at a premium and visitors are encouraged to use public transportation when visiting the campus. The nearest METRO stop, Foggy Bottom/GWU located on the Orange/Blue lines, is a short 3 block walk from the Marvin Center


The Marvin Center Garage operates from 7am - midnight Monday through Friday and is closed on weekends. Make sure you have your car out by 11:45pm. A visitor's parking garage is located between 23rd and 22nd Streets and H and Eye Streets. The visitor entrance is on Eye Street.



December Meeting Debrief


I'd like to take this opportunity to once again thank Kevin for coming

out to talk to us at the meeting Wednesday. I thought his

presentation on Samurai, Yokoso!, Laudanum, and Social butterfly

demonstrated some of the great up and coming tools that are available

to the community. As promised, I uploaded the PDF of the presentation

to the Wiki, but the slides don't do the commentary justice. It can

be found here.


We also took care of some housekeeping stuff:

  • We'd like to thank Mike from Deloitte for offering up his space the last few months but our next meeting will instead be held at George Washington University Gelman Library. Everyone remember to thank Amy for offering up GW's meeting spaces to us.
  • The OWASP DC Chapter will be hosting OWASP AppSec 2009 sometime in October 09. More details will come out as we firm up dates/speakers/locations and calls for volunteers!
  • Rex talked for a few minutes about the Portugal Summit. The debrief from the summit can be found here
  • Our next chapter meeting will be held in Feburary, topics TBD but we are soliciting speakers.


To those who attended the meeting on Wednesday, thanks for coming out,

we had a great turnout and I hope to have even more attendees next

time. For those who were unable to attend, I hope to see you all at

our next meeting.



December 10th 6:30pm OWASP Meeting, Washington DC


This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).


The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.


This month's agenda is as follows:


  • Presentation by Kevin Johnson, InGuardians
  • Round table Discussion of Portugal Summit
  • Open discussion


Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E., Samurai, SecTools and Yokoso! projects.


Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including InfraGard, ISACA, ISSA and the University of Florida.


You can RSVP to the event on Upcoming.org:

http://upcoming.yahoo.com/event/1334575



October 15th 6:30pm OWASP Meeting, Washington DC


This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).


The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.


This month's agenda is as follows:


  • Adam Vincent, Hacking and Hardening Web Services
  • Doug Wilson, Report on AppSec NYC 2008
  • Open discussion


Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience.


Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.




The original DC Chapter was founded in June 2004 by Jeff Williams and has had members from Virginia to Delaware.


In April 2005 a new chapter, DC-Virginia, was formed and the DC Chapter was renamed to DC-Maryland.


In 2008, the DC-Maryland chapter was given over to the stewardship of co-chairs Rex Booth, Mark Bristow, and Doug Wilson, and charged by the OWASP board to create a chapter focused on the needs of Washington DC in specific. The new chapter has tried to reach out to government and academic environments found in DC as well as the private sector.


The DC chapter will be hosting OWASP AppSec DC in November of 2009, the national OWASP conference for the year.






funds to OWASP earmarked for Washington DC.



September Meeting:


Facility Sponsor: Living Social      Refreshment Sponsor: Still Open!