OWASP Cincinnati

OWASP Cincinnati

Welcome to the Cincinnati, Ohio OWASP Local Chapter

Cincinnati OWASP chapter meetings are free and open to anyone interested in information security, risk management, data protection and application security. Chapter meetings are generally held every one to two months.

Check our Upcoming Meetup Events

If you have never attended a meeting before and you are interested to attend one in the future, please join the OWASP Slack (in the #chapter-cincinnati channel) or follow us on Meetup.

The board currently includes the following members:

Chapter Leader: Shlomo Heigh

Chapter Leader: James Simmons

Sponsors

The OWASP Cincinnati Chapter is proudly sponsored by:

Traceable

Call For Speakers

If you are interested in presenting at one of the chapter meetings please send an abstract and bio to the chapter chair (Shlomo Heigh). Prior to participating, please review the Chapter Rules.

About OWASP

The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP’s all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. Consult the how OWASP works web page for more information about projects and governance.

OWASP Membership

OWASP is an open source project dedicated to finding and fighting the causes of insecure software. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, meetings or other activities. On the other hand OWASP relies on membership fees and sponsorship to support it’s activities. There are also unique benefits to become a corporate member such as the use of OWASP materials within your organization without the restrictions associated with the various open source licenses. OWASP individual members also get discounts to security conferences and other perks. For more information consult the OWASP Membership web page.


Past Events


August 2024 Meeting

OWASP Cheat Sheet Series Bug Bash!

Sponsor: Traceable

Host: Kroger

Event Details: Interested in application security? Or have you been wanting to get into open source but aren’t sure where to start? Come to our Bug Bash! We’ll provide an overview of the OWASP Cheat Sheet Series project, a collection of articles on specific application security topics. Then we’ll dive into the project’s GitHub repository and start hacking away at issues. We’ll have mentors on hand to help you get started and answer any questions you have. All skill levels are welcome!

Never submitted a pull request before? No problem! We’ll walk you through the process and help you get your first open source contribution under your belt. Are you an expert in one specific area of application security? Come contribute to the project by writing a new cheat sheet or improving an existing one. Just getting started? Come and learn from experts, and contribute by fixing typos, improving formatting, or adding examples to existing cheat sheets. You don’t need to be a technical expert to participate in open source! Have tons of experience? Come help mentor others and review their pull requests.

We’ll unleash the group on the project and see how much we can accomplish in a couple hours. There will be food for all attendees, and we’ll have special awards for the top contributors in various categories.

GitHub Issue Link: OWASP/CheatSheetSeries#1451

July 2024 Meeting

Secrets Revealed for Launching a Successful Enterprise DevSecOps Program

Sponsor: Traceable

Host: Kroger

Discussion Abstract: This presentation walks through the patterns of successfully starting of a DevSecOps program from scratch. As such, it focuses on the strategies derived from both the successes and failures and lessons learned along the way on this journey. Lastly, this talk concludes how White House Executive Order (14028) centered around SBOM shapes the next steps of the DevSecOps maturity model and how organizations can leverage this new piece of legislation to bolster their application security defenses.

Speaker Biography: Kevin Johnson is CEO of Secure Ideas, a consulting company dedicated to security testing and training. Kevin passionately advocates for cybersecurity through his work with Secure Ideas, as a global board member for OWASP and as a faculty member at IANS. During his over 30 years in the industry, Kevin acted as an instructor and author for the SANS institute. He also contributed to a number of open-source projects, including OWASP SamuraiWTF (a web pen-testing training environment), Laudanum (a collection of injectable web payloads) and Yokoso (an infrastructure fingerprinting project) and was the founder and lead of the BASE project for Snort. Kevin has served as an expert witness in court cases involving cybersecurity.

Presentation: DevSecOps Secrets

June 2024 Meeting

The Truman Show: Real-world application attacks instead of canned demos

Sponsor: Traceable

Host: Kroger

Discussion Abstract: In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various scenarios used in penetration testing of applications. These demonstrations will use real attacks and discuss how a penetration tester views applications. This talk will explain the mindset of an attacker, using actual applications as well as demonstration apps to allow for exploitation.

Speaker Biography: Kevin Johnson is CEO of Secure Ideas, a consulting company dedicated to security testing and training. Kevin passionately advocates for cybersecurity through his work with Secure Ideas, as a global board member for OWASP and as a faculty member at IANS. During his over 30 years in the industry, Kevin acted as an instructor and author for the SANS institute. He also contributed to a number of open-source projects, including OWASP SamuraiWTF (a web pen-testing training environment), Laudanum (a collection of injectable web payloads) and Yokoso (an infrastructure fingerprinting project) and was the founder and lead of the BASE project for Snort. Kevin has served as an expert witness in court cases involving cybersecurity.

May 2024 Meeting

Hacking Web APIs

Sponsor: Kroger

Discussion Abstract: This talk will feature live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objective is to teach developers, QA, and security professionals about flaws that are often present in Web Services (REST APIs) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection, and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list. This talk features additional tips and live demos.

Speaker Biography: Matt Scheurer is Vice President of Computer Security and Incident Response in the Financial Services industry, with many years of hands-on technical experience. Matt is on the Advisory Board for the Warren County Career Center “Information Technology and Cybersecurity” program, and volunteers as a technical mentor for the Women’s Security Alliance (WomSA). He has presented numerous Information Security topics at countless technology meetup groups, and prominent Information Security conferences, including keynotes at the Information Security Summit in Cleveland and Queen City Con in Cincinnati. Matt is also a 2019 comSpark “Rising Tech Stars Award” winner and was named a “Top 12 Hacking Influencer” by Bishop Fox in 2023.

Presentation: Hacking Web APIs

March 2024 Meeting

DevSecOps Worst Practices

Discussion Abstract: Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, and then flip them on their head, so we know not only what to do to avoid them, but also why it is important to do so, with these DevSecOps WORST practices.

Speaker Biography: Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the Head of Education and Community at Semgrep, sharing content and training that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-five years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker & active blogger, and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.

Presentation: DevSecOps Worst Practices

Recording: https://www.youtube.com/watch?v=pFhlOcm3MDg

January 2024 Meeting

Stand Up Straight - Security Posture And You

Discussion Abstract: Someone likely told you to stand up or sit up straight at some point in your childhood. We buy ergonomic chairs and desks to help us maintain a healthy posture while we work. We have been told forever that good posture has benefits for our joint and muscle health. We instinctively understand how to straighten our stances and spines. But, a new kind of posture has recently emerged that is not as intuitive: security posture.

Without understanding what good security posture is and how we can measure it, being told to improve it is about as helpful as being told to “get better at security.” While there is no 100% right one-size-fits-all way to approach security, mapping your goals against your current tools and processes is going to give you a much better view of how you can improve your security stance.

This session is an attempt to both define and give a roadmap to measure security posture, no matter how large or complex the organization is or where you are on the security journey.

Takeaways:

  • Defining Security Posture
  • How to measure your posture
  • The emergence of contextual security and security posture management platforms
  • Basing your stance on threat mapping
  • Establishing an active defensive stance

Speaker Biography: Dwayne McDaniel has been working as a Developer Advocate since 2016 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. He has been fortunate enough to speak at institutions like MIT and Stanford and far-off places like Paris and Iceland. Dwayne currently lives in Chicago. Outside of tech, he loves karaoke, live music, and performing improv. On the internet most places as @mcdwayne.

Presentation: Stand up Straight - Security Posture And You

Recording: https://www.youtube.com/watch?v=VEOImaRbPqM

December 2023 Meeting

Exploring Content Security Policies

Discussion Abstract: Content Security Policies (CSPs) are an essential aspect of web application security. They help safeguard web applications against malicious attacks such as cross-site scripting (XSS) and clickjacking. In this presentation, we will explore how CSPs can protect your web applications from malicious attacks and how they can be implemented from an application security perspective. We will also discuss how to capture policy violations and ensure that site functionality is not impaired while companies work to implement these policies.

Speaker Biography: Jay Simmons is a Senior AppSec Analyst for Great American and Security Champion program administrator. He’s been working in the AppSec field for over 2 years and was previously a developer.

Presentation: Exploring CSPs

Recording: https://www.youtube.com/watch?v=NO-A4NbBNss

September 2023 Meeting

Introducing the OWASP Top 10 for LLM Applications

Discussion Abstract: As Large Language Models (LLMs) transform industries, the need for robust security measures has become increasingly important. Join us for a deep dive into the OWASP Top 10 for LLM Apps, a critical guide created by a team of nearly 500 experts to help secure LLM-based applications.The talk will begin with an exploration of the background behind this vital resource, including an in-depth look at the methodical process of determining the top 10 risks. Learn about the unique challenges, high-risk issues, and uncharted territory that were traversed to create this comprehensive reference on LLM security.

Then, you will delve into each of the top 10 risks, uncovering their intricacies, real-world implications, and mitigation strategies. From Prompt Injection to Model Theft, you will gain a holistic understanding of the vulnerabilities that are shaping the landscape of LLM security.Whether you are a developer, security expert, or simply curious about the future of LLM applications, this presentation will provide you with the insights and tools you need to navigate the exciting but complex world of LLM security.

Speaker Biography: Steve Wilson is the Chief Product Officer at Contrast Security and the lead of the OWASP Top 10 For LLM Applications project.

Steve has over 25 years of experience developing and marketing products at multi-billion-dollar technology companies such as Citrix, Oracle and Sun Microsystems. Prior to Contrast, Steve was the Vice President of Product Management for Citrix Cloud where he led the transformation of Citrix products from traditional on-prem to SaaS. At Oracle, he led core engineering for a billion-dollar product line of systems management software. During his time at Sun Microsystems, Steve was an early member of the team that developed the Java computer programming system, the most widely used set of software development tools in history.

He founded his first AI company, called Emergent Behavior, in 1992. More recently, he has led product teams using natural language processing to control IoT devices and pioneered a $100M business leveraging large datasets and machine learning to deliver User and Entity Behavior Analytics (UEBA) for Security and Performance at Citrix.

Presentation: OWASP Cinci - September 2023 - Introducing the OWASP Top 10 for LLM Applications

Recording: https://www.youtube.com/watch?v=J1auLaU9SAA

August 2023 Meeting

[Joint with CinciJS] Architecting Fortresses: ReactJS Security

Note: Note: This was a joint event, co-hosted with the CinciJS group.

Discussion Abstract: Architecting Fortresses: A Deep Dive into Advanced Security Measures for ReactJS Applications

As we traverse the expanse of the digital world, client-side security risks, characterized by the formidable challenges of Cross-Site Scripting (XSS) and inadvertent leaks of privileged information, continue to pose significant threats. These technological adversities have been challenging web application developers for decades, highlighting the necessity of evolving security paradigms.

ReactJS, a vanguard in the contemporary tech landscape, has initiated steps towards mitigating such threats, providing automatic defenses against Cross Site Scripting. However, mastering the art of building secure ReactJS applications still demands intricate knowledge and specialized expertise.

This presentation will dissect the intricate dimensions of general-purpose Cross Site Scripting defense and a range of other client-side security strategies within the ReactJS framework. We invite ReactJS developers of all levels of proficiency to join us as we delve into a wealth of advanced techniques and recommendations that promise to transform your approach to ReactJS security.

Our discussion will traverse an exciting plethora of topics including:

  • Exploring the React Component Attack Surface
  • Unraveling the Mystery of Unescaped Props and Types
  • Deconstructing dangerouslySetInnerHTML
  • Interpreting JavaScript URLs in the React Context
  • Integrating CSS Styled-Components with React
  • The Interplay between JSON Embedding and React
  • Deciphering React’s Automatic Defenses
  • Mastering Manual Defense Techniques in React
  • Unveiling the Role of React Lazy Loading and Access Control
  • Investigating React Template Injection
  • Unpacking Server-side Rendering in React

This exposition is intended to augment your skillset, bolster your defense strategies, and inspire you to create more secure ReactJS applications. Let’s unite in our quest to navigate the labyrinth of ReactJS security, mastering advanced defense techniques, and cultivating an environment conducive to robust and secure application development!

Speaker Biography: Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of “Iron-Clad Java: Building Secure Web Applications” from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see https://www.linkedin.com/in/jmanico.

Recording: https://www.youtube.com/watch?v=0TAUXzk2e7o

July 2023 Meeting

Behind the Package: Unmasking Malicious Intent in Software

Discussion Abstract: In an increasingly interconnected and digitized world, software applications have become prime targets for malicious actors seeking to exploit vulnerabilities. One common and stealthy method employed is the use of malicious packages, which harbor hidden dangers within their seemingly innocent exteriors. This presentation aims to shed light on the inner workings of these evil entities and equip AppSec professionals with the knowledge and tools to identify and mitigate such threats effectively. By exploring the techniques employed by attackers, dissecting real-world examples, and examining best practices for package management and security, attendees will gain a deeper understanding of the risks associated with malicious packages and acquire actionable strategies to fortify their software defenses. Join us as we delve into the shadows, uncovering the secrets behind malicious packages, and empowering AppSec professionals to safeguard their software from hidden threats.

Speaker Biography: Tyler Agypt is an accomplished speaker and thought leader with a particular expertise in Application Security. With a dynamic speaking style and a wealth of industry knowledge, Tyler engages and inspires audiences by sharing actionable insights and practical strategies. As a seasoned professional, he has made significant contributions to the field, helping businesses and individuals achieve their AppSec goals.

Location: Dixie Terminal, 49 E 4th St, Cincinnati, OH 45202

Presentation: OWASP Cinci - July 2023 - Behind the Package

April 2023 Meeting

Do AppSec Better

Discussion Abstract: In this talk Jay will take us through his experience at the recent OWASP SnowFROC conference and share his main takeaways from the event.

Speaker Biography: Jay Simmons is a Senior AppSec Analyst for Great American and Security Champion program administrator. He’s been working in the AppSec field for over 2 years and was previously a developer.

Presentation: OWASP Cinci - April 2023 - Do AppSec Better

November 2022 Meeting

Security Champions Program

Discussion Abstract: A security champions program is unique to the organization and their development teams. As application security teams begin to look towards these types of programs, it’s important to have a good understanding of the complexities and goals a program like this will have, along with the relationship your security team has with your development team. In this talk we’ll go through what growing and maintaining an effective program looks like, along with some of obstacles and ways to overcome them.

Speaker Biography: Jay Simmons is a senior application security analyst at Great American Insurance Group who is responsible for their security champions program.

Presentation: OWASP Cinci - November 2022 - Security Champions Program

June 2022 Meeting

Conjur Secrets Management

Discussion Abstract: The process of making our code more secure has many components, but how we secure the keys to our kingdom is probably the area with the most to lose. After all, if an attacker has your database credentials, you’re toast. Yet many developers don’t have a comprehensive system for managing such sensitive information. Do your software developers have access to the production database? If an employee quits, could they take their credentials with them, or could you easily revoke access without affecting the other developers or production deployments? Can you easily audit access to your secrets and see which applications are using them? Can you easily rotate secrets that are used in containerized deployments in multiple different clouds? In this talk we’ll demonstrate how to solve all of these problems with Conjur, an open source secrets management application.

Speaker Biography: Hi! My name is Shlomo Heigh and I’m a senior software engineer at CyberArk. I maintain the Conjur open source secrets management application, primarily working on integrations with platforms like Kubernetes and engaging with the open source community. Before that, I was a full stack developer for a SaaS firm. I’ve worked with everything from Ruby to Go and am always looking for new things to learn. In my spare time I hang out with my wife and 3-year-old daughter, tinker with my 3D printer, and tend to my garden.

Presentation: OWASP Cinci - June 2022 - Conjur Secrets Management

April 2022 Meeting

Log4j Vulnerability - Overview and AppSec Implications

Discussion Abstract: In December of last year, security researchers discovered and disclosed a vulnerability in a ubiquitous piece of logging software known as Log4j. Log4j disrupted the lives of millions of security and IT practitioners scrambling to patch this easy-to-leverage vulnerability as quickly as possible. The range of scope of the vulnerability was broad; from the software that we use on a day to day basis to the software that many companies write for their line-of-business products. In this talk, Ryan Jones will give an overview of the vulnerability and implications that Information Technology and Application Security Engineers should be aware of.

Speaker Biography: Ryan Jones is Paycor’s Sr. Director of Enterprise Architecture and is heavily involved in Information Security. In his 17 year career he has experience in all aspects of software development from system’s design, development, to QA and requirements verification. He is passionate about all facets of technology including Systems Architecture and Information Security.

**Location: Virtual Event - Zoom Conference Information Available through EventBrite Registration (TBD)

Presentation: TBD

May 2020 Meeting

Software Pen Testing – Burp Suite Primer and Extensions Deep Dive

Discussion Abstract: At the heart of web application security stands manual penetration testing capabilities. Burp Suite is a widely used Application security toolkit to aid security testing through interception, tampering, and analysis of web traffic. While it’s an indispensable tool for AppSec professionals, there are opportunities and extend use cases of the product to others in your organization including Quality Assurance and Engineering. For this talk, we’ll be providing a high-level overview of Burp Suite, the features that the product carries, and common uses of the platform across different roles within organizations. We’ll then spend time deep diving into different extensions that BurpSuite offers to drive additional value out of the product and elevate your testing.

Speaker Biography: Dhanashree is an Application Security Engineer with Paycor Inc. In addition to Pentesting Web and mobile applications, her focus areas include working with development teams to help build security in the SDLC. She has formerly worked as a Security consultant and Team lead with Security services providing companies in Telecom and Healthcare domains and is CISSP certified.

**Location: Virtual Event - Zoom Conference Information Available through EventBrite Registration

Presentation: OWASP Cinci - May 2020 - BurpSuite Primer and extensions

October 2019 Meeting

The Softer Side of Security

Discussion Abstract: Having technical skills to help solve problems is a necessity, but what about navigating the world of execution? Ultimately we depend on many others to achieve our objectives. As skilled professionals we need to hone more than just our technical skills. Join us in a discussion that explores what a well-rounded security professional needs in order to build an effective application security program.

Speaker Biography: Allison Shubert has over 19 years experience in information technology, application security architecture, and risk management. She combines her development background and risk management skills to assists businesses in managing the changing landscape of cyber security. She hold a master’s of science degree in information assurance and the CISSP and the CSSLP certifications. She regularly serves as a SME to ISC@ for the exam creation. She has also served on the paper selection committee for the OWASP global conferences for the last three years.

Presentation: </www-pdf-archive/Allison-Shubert_The-Softer-Side-of-Security.pdf>

August 2019 Meeting

Server Side Request Forgery (SSRF) Attack Scenario and Defense Options

When: August 28th, 2019. 11:30 AM

Where: Paycor, 4811 Montgomery Road, Norwood, Ohio 45212

Discussion Abstract: SSRF - Attack scenario and Defense options A relatively new attack in today’s threat landscape is the Server Side Request Forgery, or SSRF. Theorized by many to have been the initial attack vector in the recent Capital One breach, this attack could provide external “command proxy” type access to an interested threat actor in a difficult to mitigate fashion. During this session, CBTS will talk about the typical flow of an SSRF attack, execute a demo attack against a target, and discuss possible defense scenarios that can be used to detect and/or protect an organization from this potential exposure.

Speaker Biography:

Nate Fair - Currently an information security consultant for CBTS Security Services Team. Our team performs security services for 5-man shops and Fortune 5’s. Services performed include network and wireless penetration testing, vulnerability assessments, security architecture and program reviews, web application testing, and physical security assessments. Nate also teaches penetration testing at the University of Cincinnati and is part of the team behind BSides Cincinnati, helping create it’s CTF competition.

Ryan Hamrick - While gaining experience in a number of business verticals including manufacturing, finance/banking, and technology consultancy, Ryan Hamrick has performed at a high level in the security industry for the past 11 years. In an IT career spanning 20+ years, Ryan has gained expertise in wide variety of areas spanning software engineering, web application design and deployment, desktop support, security incident response, and security engineering. He is currently applying the knowledge gained through these experiences in order to provide expert level security consulting services for CBTS customers focusing on security policy and procedure design, holistic security architecture review, web application assessments, external and internal penetration testing and vulnerability assessments, social engineering assessments, and cloud security assessments.

Link to Presentation: </www-pdf-archive/SSRF.pdf>

June 2019 Meeting

Managing Open Source Library Risk

Discussion Abstract: The rate at which modern applications are growing is beyond comprehension. To aid faster development, a major chunk of the code being developed comprises of open source components, making it difficult to be managed by developers/development teams alone.

The use of these components can inadvertently bring in security and compliance risks to the product and company. This presentation will focus on the importance of managing the open source components and risks associated with them.

Speaker Biography: Dhanashree is an Application security Analyst with Paycor Inc. Apart from Pentesting Web and mobile applications, her focus areas include working with development teams to help build security in the SDLC. She has formerly worked as a Security consultant and Team lead with Security services providing companies in Telecom and Healthcare domains.

Presentation: </www-pdf-archive/Managing_Open_Source_Library_Risks.pdf>

March 2019 Meeting

Application Security in a DevOps World

  • When: March, 13th - 11:30 PM to 12:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

Hello OWASP Cincinnati! The spring thaw is nearly here, and in efforts to expedite the thaw let’s discuss the very hot topic of AppSec in DevOps. Join us for an insightful presentation on how security requirements can still be met in this brave new DevOps world in a discussion led by Ed Arnold, Security Solution Architect with Qualys.

Agenda:

  • Speaker and topic introduction
  • Presentation - “Application Security in a DevOps World” by Ed Arnold
  • Roundtable Discussion Opportunity
  • Housekeeping and Meeting Closure

Discussion Abstract: Jenkins, Travis CI, Bamboo, Docker, AWS, API, Agile, CI/CD are the new mainstream vocabulary of Developers who want more control over their processes, and businesses that increasingly prioritize time-to-market. After working for years to get into developers’ workflows, how can security practitioners keep pace with these “new” terms and the technology behind them? This presentation will discuss the challenges that may cause some security teams to give up in this new paradigm, and solutions to help ensure they remain in the game.

Biography:

Ed Arnold is a Security Solution Architect with Qualys, focusing on web application scanning and malware detection. He formerly held positions of Senior Security Engineer, Technical Architect and Principal Security Consultant over a twelve-year security career. Ed is focused on automating security testing and enabling developers to proactively address security issues.

Presentation: Coming Soon

January 2019 Meeting

Where Does It Hurt? - The Anatomy of a Data Breach

  • When: January 24, 2019 11:30 PM to 1:00 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

Happy 2019 OWASP Cincinnati! Let’s kick off the new year with a presentation pertaining to the anatomy of a data breach with specific focus on state-level notification requirements as well as broader trends in the realm of requirements in data security and privacy law. Pizza will be provided.

Agenda:

  • Speaker Introduction, Topic Overview, and OWASP Relevancy
  • Presentation - “Where Does It Hurt? - The Anatomy of a Data Breach” by Zach Briggs
  • Roundtable Discussion Opportunity
  • Housekeeping and Meeting Closure

Discussion Abstract: Awareness is not understanding. In the age of Google and WebMD, people are aware of a lot, but they don’t understand nearly as much. Case in point - all that causes sickness is not cancer, not all who lose data have had a breach. My goal in this presentation is to challenge your understanding of what makes up a data breach by explaining its full anatomy so that you can diagnose where it hurts and how to fix it or if you are even sick at all. All while sharing some of life’s best medicine (laughter) along the way.

Biography:

Zach Briggs is Corporate Compliance Counsel at Paycor, a human capital management SaaS company based in Cincinnati. He has a management degree from Purdue University and his Juris Doctor from Northern Kentucky University. Zach enjoys seeing how things work and making them work better. He is responsible for driving compliance initiatives across Paycor’s entire organization, but has a special place in his heart for his friends in InfoSec.

https://www.linkedin.com/in/zacharybriggs/

Presentation: OWASP - Anatomy of a Data Breach

Meeting Sponsor: Paycor

November 2018 Meeting

AppSec Program: Real World Examples

  • When: November 13, 2018 12:00 PM to 1:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

Who: Bill Young - Cincinnati Childrens Hospital

Bio: Bill Young is Senior Security Analyst at Cincinnati Children’s Hospital.  He’s held various roles over the course of his 15-year IT career including desktop support technician, system administrator, virtual desktop administrator and web application developer.   He currently works in security, building an application security program and doing web application penetration testing. Outside of work he is married and has 5 children.  He’s a proud member of the Knights of Columbus catholic charity organization and a big sports fan.

Abstract: Industry report, such as the Verizon Data Breach Investigation Report, consistently rank web applications one of the top attack patterns that result in data breaches.  This is increasingly reinforced as web application breaches from Yahoo, Equifax, Facebook and Google+ have all made the main stream media over the last two years.

The de facto security controls of the past decade (IPS/IDS, network firewalls, web application firewalls) offer limited mitigation for on-premise applications and even less for cloud-based applications.  To properly protect applications, the responsibility for securing them must be shared amongst the security, development and operations teams and security must be integrated in all phases of the development lifecycle.

In this talk, I will share our experience creating and expanding an application security program that aims to do just that.  I will share the approaches we took (good, bad and ugly) to creating our long-term vision and goals, measuring our progress, engaging the development, operations and management teams, and creating security testing processes.

Presentation: A copy of the presentation can be found here

Meeting Sponsor: TekSystems

October 2018 Meeting

SecureWorld Expo Cincinnati Meetup

  • When: Octover 17, 2018 8:00 AM to 4:30 PM (ET)
  • Location

Sharonville Convention Center 11355 Chester Rd Cincinnati, OH 45246

Join us at SecureWorld Expo Cincinnati 2018! We will have a booth set up in the exhibation hall and will be talking all things security especially AppSec! Additionally Andy Willingham will be moderating a panel discussion on Phishing and Social Engineering. Come and learn some new tricks and freshen up on the old ones. We will have a meet up at the end of the event to discuss our November meeting and looking forward to 2019.

June 2018 Meeting

OWASP Top 10 2017 Release

  • When: June 12, 2018 12:00 PM to 1:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

Who: Andy Willingham - OWASP

Abstract: 2017 saw the release of a new version of the OWASP Top 10 and there are lots of changes that we need to be aware of. We will look at the current Top 10 and talk about what’s new, what’s changed, and why we need to be aware.

Bio: Andy is the OWASP CIncinnati Chapter Lead and works for a local Health Care Provider helping them secure their environment and provide world class healthcare to the region. He has been in the field of technology for over 20 years and has been in information security over 15 years.

Presentation: Coming Soon!

Meeting Sponsor: Signal Sciences

February 2018 Meeting

Credential Stuffing

  • When: Feb 13, 2018 12:00 PM to 1:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

Who: Adam Leisring - Paycor

Abstract: Just last year, over three billion credentials were reported stolen from various sources in both small and large amounts. Credential theft and “stuffing” is a real and present threat to all organizations and the risk of account takeover, particularly for privileged accounts, is substantial. In this presentation, we’ll take a journey through the various stages of credential stuffing from theft, to sale, to actual stuffing on sites. Next, we’ll review some tested controls that you can put in place to either detect or prevent this threat against your enterprise.

Bio: Adam is the Director of Information Security for Paycor, one of the largest independently held Human Capital Management companies in America. He oversees Information Security for Paycor’s 1400 associates as well as Paycor’s 30,000 clients of their award-winning Software as a Service product. In past positions, he has served in leadership roles including Technical Services and Operations, Enterprise Architecture and Software Engineering. Adam holds CISSP and CISM certifications as well as a Master’s Certificate in Corporate Information Security. Adam is a volunteer in ISC(2)’s Safe and Secure Online program which spreads security awareness to children at local schools.

November 2017 Meeting

GDPR: What is it and Why do I care?

When: Nov 4, 2017 12:00 PM to 1:30 PM (ET)

  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

  • Abstract: This is an open discussion around GDPR to help all of us understand it and learn some things that we need to focus on as we get ready to comply.

October 2017 Events

NKU CyberSecurity Symposium

  • When: Oct 13, 2017 8:30 AM to 4:00 PM (ET)
  • Location

   Northern Kentucky University    Student Union Center

  • Details: Join us at the 10th Annual CyberSecurity Symposium. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say “Hi”. Additionally Andy Willingham will be speaking on SecDevOps.

SecureWorld Expo Cincinnati

  • When: Oct 24, 2017 8:30 AM to 4:00 PM (ET)
  • Location

   Sharonville Convention Center    11355 Chester Rd Sharonville, Oh 45246

  • Details: Join us at the 3rd Annual SecureWorld Expo. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say “Hi”. Additionally Andy Willingham will be speaking on Making the most of your relationship with your Audit teams.

May 2017 Event

Interface Cincinnati Conference

  • When: May 24, 2017 8:30 AM to 4:45 PM (ET)
  • Location

   Duke Energy Convention Center    Junior Ballroom    525 Elm St,    Cincinnati, OH 45202

  • Details: Join us as we welcome the Interface Tour to Cincinnati. This promises to be a full day of learning and networking. We will have a booth setup in the Exhibitors area so stop by and say “Hi”. We will also be participating in a panel discussion or two. Keynote Speaker will be Brian Keys VP of Technology for the Cincinnati Reds. You can earn 6.5 continuing education credits and there is NO COST to attend!

April 2017 Meeting

Application Security Management- How Billion Dollar Enterprises Manage Application Security at Scale

  • When: April 27, 2017 12:00 PM to 1:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

  • Abstract: Security Compass recently completed a research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.
  • Speaker Bio: Rohit Sethi is a specialist in software security requirements. He has helped improve software security at some of the world’s most security-sensitive organizations in financial services, software, e-commerce, healthcare, telecom and other industries. Rohit has built and taught courses on Secure J2EE development. He also created the OWASP Design Patterns Security Analysis project. In his current role, Rohit manages the SD Elements team at Security Compass . Previously, Rohit managed the consulting practice at Security Compass. Mr. Sethi has appeared as a security expert on television outlets as such as Bloomberg, CNBC, FoxNews, CBC, CTV and BNN. Rohit has spoken at numerous industry conferences,such as FS-ISAC, RSA, OWASP, Secure Development Conference, Shmoocon, CSI National, Sec Tor, CFI-CIRT, and many others. He has been quoted and/or written articles on several websites such as CNN.com, the Huffington Post, InfoQ, and Dr. Dobb’s Journal.

Presentation: A copy of the presentation can be found here

    Meeting Sponsor: https://www.owasp.org/images/9/9e/Security_Compass_Logo.png

March 2017 Meeting

OWASP 2017

  • When: March 28, 2017 12:00 PM to 1:30 PM (ET)
  • Location

   Paycor    4811 Montgomery Rd    Cincinnati, OH 45212

  • Abstract: Join us for our 2017 Kick-off meeting. We will discuss the recent RSA Conference, SecDevOps, and enjoy a chance to network with others while eating Pizza. What could be better?
  • Speaker Bio:
  • Presentation: A copy of the presentation can be found here

Meeting Sponsor https://www.owasp.org/images/6/6a/OWASP_Cincy.png

2016 Presentations

October 2016 Meeting

Protecting your applications using RASP

  • When: October 25, 2015 12:00 PM to 1:30 PM (ET)
  • Location

   TekSystems    3825 Edwards Rd    Cincinnati, OH 45209

  • Abstract: Allison will be discussing the pros and cons of using RASP (runtime application self-protection) in your application lifecycle to help ease some of the pain associated with App Sec and SDLC..
  • Speaker Bio:

Allison Shubert

   Meeting Sponsorship Provided by https://www.teksystems.com/-/media/teksystems_com/Images/Logos/TEKsystems_logotype_RGB.png

April 2016 Meeting

OWASP 101 & The OWASP Top 10

  • When: April 12, 2016 12:00 PM to 1:30 PM (ET)
  • Location

   The Christ Hospital    2139 Auburn Ave    Cincinnati, OH 45219

  • Who: Allison Shubert and Andy Willingham
  • Abstract: OWASP can do for you so we are going to highlight some of the reasons that you should be involved and how OWASP can help you be a better security practitioner and/or software developer. Also we will discuss how the OWASP Top 10 impacts your day to day life.

   Meeting Sponsorship Provided by OWASP

2015 Presentations

November 2015 Meeting

PCI Risk Assessment - A method to reduce breaches

  • When: November 18, 2014 12:00 PM to 1:30 PM (ET)
  • Location

   Citi    9997 Carver Rd    Blue Ash, OH 45242

  • Abstract: The recent breaches at PCI compliant organizations have raised questions on additional security measures that organizations can take to improve their security posture. Breaches are becoming part of boardroom discussions and it’s obvious that information security managers are in the spotlight to come out with answers on what they are doing to improve their security posture. This session aims to provide meaningful guidance on how PCI DSS Risk Assessment should be conducted, so that organizations can safeguard proactively themselves rather than waiting for a breach to happen.

:*What is a formal risk assessment

:*How to plan a formal risk assessment for PCI DSS Compliance

:*Common misconceptions in PCI Risk Assessment

:*How can a formal PCI Risk assessment help you in securing your organization

:*Why PCI DSS Risk Assessment should be treated as a continuous business process for your organization

  • Speaker Bio:

- Dharshan Shantamurthy is the founder and CEO of SISA Information Security – a global leader of PCI Certification and Risk Assessment. Dharshan was one of the first PCI Qualified Security Assessors of the PCI Standards Body. Lately he was the leader of the PCI DSS Special Interest Group that authored the PCI DSS Risk Assessment Guidelines at the PCI Security Standards Council.

- Dharshan has also been a key security resource for various professional bodies globally – Software Engineering Institute, Carnegie Mellon; ISACA Chapters and International, E-Crime, Payment Card Industry, Payment Brands such as VISA/MasterCard, Microsoft. He has authored a certification program named as CPISI, a PCI implementation workshop for security professionals working in payment card industry.

- Dharshan had chaired the PCI Council’s Special Interest Group (SIG) for Risk Assessment in 2012 and also gave the update on SIG at the PCI SSC community meeting in Orlando, Florida. He is an invited speaker at various conferences including Microsoft CIO Summit, VISA Seminars, ISACA Global Security Summit and ISACA-TACS 2011 Conference.

   Meeting Sponsor https://sisainfosec.com/assets/images/logo.png

October 2015 Meeting

Application Threat Modeling

  • When: October 13, 2015 12:00 PM to 1:30 PM (ET)
  • Location

   Citi    9997 Carver Rd    Blue Ash, OH 45242

  • Who: Allison Shubert of Citi
  • Abstract: Threat Modeling is an important tool in your application security toolbox. How do you do it and what value does it provide? Allison will shed light on this for us.
  • Speaker Bio:

Allison Shubert

   Meeting Sponsorship Provided by OWASP

September 2015 Meeting

Security Code Review

  • When: September 2, 2015 12:00 PM to 1:30 PM (ET)
  • Location

   Citi    9997 Carver Rd    Blue Ash, OH 45242

  • Who: Kevin Glavin of Cigital
  • Abstract: A Radical Departure from everything you know and love [to hate] about code review. How can you change the way you apply source code review using modern and freely available tools in order to provide high-quality review. What, specifically, can you do to avoid the critical flaws we commonly find? How do you scale the effort up to an Enterprise worth of applications? … And down to the space in which a 2 week sprint lives? … Apply it to continuous deployment?
  • Speaker Bio:

Kevin Glavin is a Senior Consultant who has over 10 years of experience in a variety of roles including Lead Developer, Software Assurance Specialist, and Software Security Analyst. Kevin has worked with a number of Fortune 250 and multi-national companies, as well as government agencies. As a consultant at Cigital, he has led secure code review, penetration testing (hardware, software, and network), and architectural risk analysis of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. He specializes in integrating security testing techniques into existing tools and SDLC methodologies, and leveraging DevOps practices for consistency and agility.

   Meeting Sponsorship Provided by https://www.owasp.org/images/a/ad/Cigital-Logo-FullColorTagline-01-3.png

2014 Presentations

June Meeting

Building a Scalable Threat Modeling Practice in 7 Easy Steps

  • Abstract: Join us at 12:00 PM for lunch (Sponsored by MyAppSecurity) and a lively discussion around threat modeling and how to best secure your applications. Come prepared with your questions, thoughts, and ideas.
  • Speaker Bio: Archie is a Threat Modeling Guru with lots of experience in designing and implementing threat models and making them give you a real world view of how your apps measure up.

   Meeting Sponsor MyAppSecurity

March Meeting

OWASP Mobile Top Ten 2014 - The New “Lack of Binary Protection” Category

Mobile Applications and All of the Bad things that can happen to your Information and IP Inside them

  • Abstract:

- Recently, there has been a new addition to the OWASP Mobile Top Ten. At AppSec California, OWASP debuted the 2014 list and briefly highlighted examples of threats in the new M10 category. In my talk, I discuss the new category in much more depth. I educate the audience about the prevalence of binary risks in both iPhone and Android mobile apps. I highlight mobile app risks that relate to this new category and how to leverage particular OWASP Projects for the solution. By the end of this talk, you will have a solid understanding of binary risk and how to begin thinking about solutions to this category.

  • Speaker Bio: Matt Clemens is a Security Solutions Architect for Arxan Technologies, focusing on application security. Before joining Arxan in 2013 Matt spent 20 years in a variety of roles in the semiconductor and embedded processor industries.

   Meeting Sponsor `Arxan_sl.png`

2013 Presentations

November Meeting

Developing a Software Security Assurance Program

  • Who: Kabir Mulchandani, Managing Principal at Cigital
  • Abstract:

- For decades technology has been an obvious key to competitive advantage across nearly every industry. Whether organizations develop new technology in-house or leverage third-party solutions, software vulnerabilities provide another attack vector for cyber criminals. Organizations are reacting by developing a software security initiative to manage the risks related to software vulnerabilities.

- This session will review some of the latest emerging industry practices in managing software security risks, including application penetration testing, static code analysis, software security testing, vendor assessments, security architecture reviews and developer training.

  • Speaker Bio: Kabir Mulchandani is a Managing Principal at Cigital. He has more than 17 years of experience in information security and management consulting. Kabir has expertise in developing and managing information security risk management, vendor management, software security assurance and Governance, Risk and Control (GRC) programs. Kabir leads Cigital’s Mid-Atlantic practice and focuses on enhancing the efficiency and effectiveness of software security programs.

   Meeting Sponsor `Cigital_OWASP.GIF`

June Meeting

2013 Verizon Data Breach Investigations Report (VDBIR)

  • Who: Allison Schubert, Andy Willingham and Blaine Wilson of Citigroup
  • Abstract: The topic of the meeting will be a discussion of the 2013 Verizon Data Breach Investigations Report (VDBIR). Allison, Andy, and Blaine will be discussing the report and how we see it playing out in the lives of those of us who are tasked with protecting our companies systems and applications.

2012 Presentations

October Meeting

Is There An End to Testing Ourselves Secure?

  • Who: Rohit Sethi, Vice President, Product Development, SD Elements
  • Abstract:

- Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to vulnerabilities discovered late in the development process, thereby either cause project delays or risk acceptance. Neither option is particularly appealing.

- This talk is a an open discussion with the local chapter about if there are scalable, measurable approaches that actually work in the real world to address security early into the SDLC, with consideration for how agile development impacts effectiveness. Points of discussion include: - Is static analysis sufficient? - Developer awareness training - Threat modeling / architecture analysis - Secure requirements - Considerations for procured applications

  • Speaker Bio: Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2’s Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb’s Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

  Meeting Sponsor SD Elements

October Joint ISSA and OWASP Meeting

The Unfortunate Reality of Insecure Libraries

  • Abstract: Today, 80% of the code in applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. In partnership with Sonatype, our researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business.
  • Speaker Bio: As a pioneer in the software development and security field, Jeff Williams is one of the world’s foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law.

August Meeting

WebScarab Tutorial and Demonstration

  • Who: Blaine Wilson, Technical Security Officer, Citigroup
  • Abstract: Join us for our August meeting. This month Blaine Wilson will entertain and educate us with a tutorial and demonstration of how to use WebScarab to test and protect your web sites and apps. We will also get a quick Black Hat/DefCon recap from Allison Shubert.
  • Speaker Bio: Blaine is a technical security officer for Citigroup and has several years experience as a application security guru and as a programmer so he is uniquely qualified to share his experiences and knowledge with us.

July Meeting

Addressing Threats to the Nation’s Cybersecurity

  • Who: Intelligence Analyst Anne Hanko of the FBI

June Meeting

Security is Dead. Love Live Rugged DevOps: IT at Ludicrous Speed

  • Abstract: Cloud IT velocity is breathtaking: while most IT struggle with monthly releases, agile IT businesses routinely conjure thousands of AWS servers, performing over 10 deploys per day. This agility delights the business and terrifies security. DevOps aligns the former adversaries of Dev and Ops. Security needs to enable ludicrous speed or be left behind. We make a case for Rugged DevOps as an answer.
  • Speaker Bio: JoshuaCorman.jpg Joshua Corman is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience in security. Most recently he served as Research Director for Enterprise Security at The 451 Group following his time as Principal Security Strategist for IBM Internet Security Systems. Mr. Corman’s research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives. His research and education efforts won him the title of Top Influencer of IT by NetworkWold magazine in 2009. Mr. Corman is a candid and highly-coveted speaker with engagements at leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS. As a staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, and co-founded Rugged Software – a value-based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman received his bachelor’s degree in philosophy, graduating Phi Beta Kappa and summa cum laude, from the University of New Hampshire. He resides with his wife and two daughters in New Hampshire.

    Corman can be found on twitter @joshcorman and on his blog at http://blog.cognitivedissidents.com/

   Meeting Sponsor `Akamai_logo.jpg`

May Meeting

Pragmatic Cloud Security

  • Abstract: Cloud security is more then just hype. I’ll do a quick overview of the reality of cloud computing versus the hype and then take things a step further and teach how one can pragmatically deploy to the cloud in away that takes security, privacy and operational concerns into account without hindering the business. It’s not as hard as it sounds, it just requires leveraging the right people, process and technology and I’ll show you how.

   Meeting Sponsor https://www.owasp.org/images/e/e4/Modis.jpg

April Meeting

Top Ten Web Defenses

  • Abstract: We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
  • Speaker Bio: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.

   Meeting Sponsor https://www.owasp.org/images/4/4d/Whitehat.gif

March Meeting

The Danger of the Security ASS-umption

  • Who: Michael Farnum, Security Advocate for Accuvant
  • Abstract: Many enterprise technical security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered. This is often due to risk ASS-umptions that are made by security staff / management, and these ASS-umptions often cause failures in findings. Come join a discussion on the breakdown of a technical security assessment, explore the essential attack vectors, and debate the depth to which the assessment should go.
  • Speaker Bio: Michael is the Security Advocate for Accuvant. Michael has over 17 years experience in IT and security, specializing in security infrastructure design and information security management. A skilled communicator, Michael is a well known security blogger and podcaster. Michael has spoken on various security topics at several conferences and events across the United States. He holds several security and technology certifications, including the ever-controversial CISSP. Prior to joining Accuvant, Michael was the Information Security Manager at The Menninger Clinic in Houston, TX. Before that, Michael performed random acts of security lunacy at companies all over Houston, TX.

   Meeting Sponsor https://www.owasp.org/images/5/5e/Accuvant.png

February Meeting

How To Do Mobile Application Assessments

  • Abstract: This talk will focus on mobile application assessment techniques. The assessment techniques will focus on how to test applications for the OWASP Mobile Top 10 issues. Mitigation techniques for both Android and iOS will be discussed. Mallory, Intrepidus Group’s Man in The Middle tool designed to test mobile devices and applications, will be demonstrated throughout the presentation. Additionally, usage of other open source tools will be demonstrated. Both iOS and Android will be discussed.
  • Speaker Bio: Jeremy Allen is the Chief Technology Officer with the Intrepidus Group. Jeremy is a regular speaker at popular security conferences such as BlackHat, SOURCE and OWASP AppSec. He is currently the lead on the development of the SANS �-Y΄Secure Mobile Application Development: iOS App Security‘ course. He has conducted numerous application assessments against iOS applications.

   Meeting Sponsor https://www.owasp.org/images/7/70/150-22.png

January Meeting

Mobile Application Security

  • Who: John Steven and Jason Rouse
  • Abstract: Mobile devices are on your network and they are out to get you. Are you ready?
  • Speaker Bios: John and Jason both work for Cigital.

- John Steven, Internal CTO

- John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularly at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter.

- Jason Rouse, Principal Consultant

- Jason has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. His work has helped clients to identify the biggest risks in their mobile applications, for example after reviewing a mobile payment system which used SMS messages to alert the user to opportunities in the market, errors were found in the handset and back-end that could lead to denial of service on both the handsets and the back-end servers. The mobile environment’s mix of custom hardware, software, and architectures can make finding, verifying, and remediating these types of issues exceptionally difficult, showing the unique security threats present in mobile environments. As a trusted advisor, Jason has led standards efforts, chairing the FSTC Mobile Payment Security workgroup to identify and document technology-based opportunities for banks in the mobile arena. The project aims to define standards for technology and interoperability that give all mobile phone users a seamless, secure, and easy-to-use payment option for everyday banking.

2011 Presentations

November Meeting

The Alphabet Soup of Security Certifications

  • Who: Allison Shubert
  • Abstract: Certifications are a part of our life whether we like it or not. What are your choices? Are any of them worth the time and effort it takes to get them and then to maintain them? It’s a jungle out there and luckily we have a guide to help us sort it all out. Allison will help us sort out the mess that we call Alphabet Soup and help us understand whether or not certifications are worth it for you.
  • Speaker Bio: Allison Shubert has over 11 years of experience in IT concentrating on security and risk management. she is CISSP and CSSLP certified and also serves as a subject matter expert for ISC2 for the CISSP and CSSLP certifications.

October Meeting

Debugging The Attack

  • Who: Blaine Wilson
  • Abstract: Please join us as Blaine Wilson attaches a debugger to some of the OWASP Top Ten Web Application Vulnerabilities. No technical experience is required. Blaine will explain each vulnerability in plain English and then he will launch an attack so you watch the vulnerability be exploited step by step.
  • Speaker Bio: Blaine has 18 years experience in database design, web application architecture and information systems security. He currently works for CitiGroup as an Information Security Officer.

September Meeting

Software Security and the Building Security in Maturity Model

  • Who: Dr. Gary McGraw, CTO of Cigital
  • Abstract: Using the framework described in my book “Software Security: Building Security In”, I will discuss and describe the state of the practice in software security. This talk is peppered with real data from the field, based on my work with several large companies as a Cigital consultant. As a discipline, software security has made great progress over the last decade. Of the sixty large-scale software security initiatives we are aware of, forty two all household names are currently included in the BSIMM study. Those companies among the forty-two who graciously agreed to be identified include: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo. The BSIMM was created by observing and analyzing real-world data from leading software security initiatives. The BSIMM can help you determine how your organization compares to other real software security initiatives and what steps can be taken to make your approach more effective.

August Meeting

Defending against XSS

  • Who: Jason Montgomery, SANS Instructor, Secure Coding in .NET: Developing Defensible Applications

The presentation can be downloaded herein

A video recorded at the Ohio Information Security Forum is available from here

July Meeting

Managing Risk with Threat Modeling

  • Who: Anurag Agarwal, MyAppSecurity Founder
  • Abstract: Threats & vulnerabilities exploits are gaining momentum at many companies today because of the recent hacks at Sony, PBS, CIA and other high profile companies. Since these companies have already adopted mature vulnerability assessment and secure code analysis processes/tools and yet, there were negatively impacted by these hacks, proves the point that it’s not enough to rely solely upon traditional application security assessments & tools to mitigate the risk and the impact of these hacks. The new approach is to use a threat modeling tool and a process to identify vulnerabilities during design and use Vulnerability Assessment (VA) and/or Static Code Analysis (SCA) tools to validate that these threats and vulnerabilties are mitigated in the application and/or source code. More and more organizations have realized today, that identifying threats during the design phase and planning a technical risk mitigation strategy earlier in the SDLC helps in controlling of risks as well in the saving time and money. Threat Modeling can guide application development teams in ensuring that the organization’s security policies are followed at time of design prior to the development and testing of the application. By creating pre-approved security requirements and by applying them with a repeatable and scalable process, you can assist your organization development teams in building a secure application easily and effortless.

The presentation can be downloaded from here

June Meeting

Magic Numbers - Proving Success Through 5 Powerful KPIs

  • Who: Rafal Los, Application Security Evangelist at HP
  • Abstract: By now, most enterprises have figured out the dire need for software security assurance (SSA) programs, and are working on improving the security of their applications. The problems these organizations face now is that these initiatives are most often security-team-driven and either fear-based or run on “black magic”. As organizations mature and start to examine budgets and program spending more carefully - these SSA programs are having a difficult time explaining what they do, and how (if at all) they’re succeeding in lowering the risk posture of their parent organization. This talk defines Key Performance Indicators (KPIs) which will help bridge the gaps between the business and the technical security team that supports it. The KPIs presented will provide business context and assist in having a more intelligent conversation with the rest of the technology organization when it comes to answering the question “Is the [SSA] program working?”.

April Meeting

How to Develop Secure Web Applications with the OWASP Enteprise Security API (ESAPI)

  • Who: Andrea Cogliati Owner & Security Consultant, Dollos Srl
  • Abstract: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, U.S. Navy - SPAWAR, The World Bank, SANS Institute.

March Meetings

  • Who: Jeremiah Grossman, Founder & CTO of WhiteHat Security
  • Abstract: Jeremiah Grossman, Founder & CTO of WhiteHat Security, will draw from their most recent Website Security Statistics Report - A statistical picture from over five years of continuous vulnerability assessment results taken from over 3,000 websites across 400 organizations. This represents the largest, most complete, and unique dataset of its kind. The presentation will be purely metrics focused, specifically discussing which classes of vulnerabilities are the most prevalent, measured remediation rates, time-to-fix analysis, and sorted by industry and organization size. While already incredibly revealing, the discussion will also go further back into the SDLC to better understand how many and how often vulnerabilities are introduced. For some organizations the problem area may simply be the volume of vulnerabilities introduced. For other organizations the primary challenge is obtaining the resources to fix the vulnerabilities that are identified. For others, the greatest need is to accelerate the vulnerability resolution process. This is the level of detail organizations need to measurably improve their application security programs.

    Meeting Sponsor https://www.owasp.org/images/4/4d/Whitehat.gif   

ATM Threats, Vulnerabilities and Exploits

  • Who: Barnaby Jack, Director of Research, IOActive
  • Abstract: The most common attacks on Automated Teller Machines (ATMs) typically involve the use of card skimmers or the physical theft of the machines. Barnaby Jack research goes beyond physical vulnerabilities and reveals software-based attacks. He will demonstrate both local and remote attacks, and reveal a multi-platform rootkit. The rootkit was specifically designed for ATMs to give an attacker the ability to dispense cash from the machine, retrieve ATM passwords and settings, and retrieve tracking data remotely.

February Meeting

Cloud Computing Security

  • Who: Dr. James Walden, Assistant Professor Department of Computer Science at Northern Kentucky University
  • Abstract: Cloud computing is an emerging paradigm for large scale web application deployment. While cloud computing may reduce the complexity and costs of web application deployment, it also introduces new risks and requires a fundamentally different approach to security. Traditional security approaches such as firewalls and network intrusion detection are either impossible or inappropriate for cloud applications. New risks include loss of governance, failure of compliance with regulations that assume infrastructure is physical rather than virtual, an expanded attack surface resulting from the connection between your organization and the cloud, and hypervisor attacks that may enable attackers on the same physical server to access your data. This talk will address how these risks occur in the context of cloud computing and will examine ways to mitigate them.

The presentation can be downloaded from here

January Meeting

How to Prevent Business Flaws Vulnerabilities In Web Applications

  • Who: Marco Morana, OWASP Cincinnati Chapter Lead OWASP Bio
  • Abstract: Business logic attacks (BLA) represent a growing threat for web applications. BLA specifically target the business logic of the application to exploit vulnerabilities that are uncommon and specific to the application logic. Example of these vulnerabilities include a flaw in the shopping cart of the application that allows a malicious user to alter the price of an item and access to unauthorized business transactions through forceful browsing to a web page bypassing the normal workflow of the application. Scope of the presentation is to analyze the threat posed by BLA and provide example on how a threat modeling methodology can be used to identify application specific application flaws and devise countermeasures so that these attacks can be both prevented and detected.

The presentation can be downloaded from here

2010 Presentations

November Meeting

  • Presentation Title: Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications, Marco Morana, OWASP Cincinnati Chapter Lead OWASP Bio

- The presentation can be downloaded from here

- According to the Gartner hype curve, Web 2.0 technologies have reached a stage of mainstream adoption by businesses, therefore is critical for information and application security to understand the security implications of the adoption of Web 2.0 technologies. Web 2.0 not only amplify traditional Web 1.0 vulnerabilities such as XSS, CSRF and data injection vulnerabilities but also introduces new threats: this is due to the intrinsic functionality that Web 2.0 technology is designed to provide. For example, Web 2.0 technologies provide a richer client and user experience than Web 1.0, foster user’s collaboration to the sites through user’s provided content and brings customers closer to businesses through participation to social networking sites. The first step is to perform a vulnerability and threat analysis of Web 2.0 applications. From vulnerability and threat analysis perspective, Web 2.0 application vulnerabilities can be analyzed using both OWASP Top 10 and WASC Top 50 threats categorizations. Critical to the vulnerability analysis of Web 2.0 applications is the determination of the vulnerability root causes. Only through the identification of the vulnerabilities root causes vulnerabilities can be eradicated. The second step is build secure Web 2.0 applications. Secure design and implementation of Web 2.0 applications starts with a plan for adoption of software security activities as part of the SDLC. Essential software security activities include the documentation of secure coding requirements for Web 2.0 such as for AJAX, secure design and review of Web 2.0 architectures, manual/automatic secure code reviews/analysis and security testing. Security testing need to target both Web 2.0 client/desktop components (e.g. FLASH, RIA, mashups) as well as server components/functionality (e.g. Web services). Finally, the third step includes managing the business risks that Web 2.0 design flaws and bugs might pose to the business. The OWASP risk methodology and a web 2.0 risk framework is proposed as methodology to analyze and manage Web 2.0 security risks. A simple example on how to integrate with Web 2.0 technology securely such as a twitter interface to a web site, it is also presented.

October Meeting

  • Presentation Title: TLS Renegotiation, the vulnerability, the twitter attack and ways to tell if your application is vulnerable and how to fix it Mr. Blaine Wilson, Information Security Architect at Great American Insurance :The presentation can be downloaded from here

September Meeting

  • Presentation Title:Data Security challenges in the all too Public and not so Private sectors Mr. Patrick Gray, Principal Security Strategist of Cisco Systems

- The presentation can be downloaded from here The Internet threat landscape has shifted. What used to be a playground for hackers, crackers, script kiddies and packet monkeys is now a borderless abyss of organized crime fueled by financial gain and state sponsored forays into our critical infrastructures. Cisco Systems’ Patrick Gray, a twenty-year veteran of the FBI, will explore the current threat landscape by highlighting the newest cyber criminals and examining the latest tactics employed by these predators. Gray will address how spammers, phishers, botmasters and hackers interact with this new crime element utilizing Web 2.0 technologies and how we can prepare our infrastructures to stave off these relentless attacks and protect our critical business assets.

July Meeting

  • Presentation Title:Botnet Attacks and Web Application Defenses Gunter Ollmann VP of Research, Damballa

- The presentation can be downloaded from here Security researcher Gunter Ollmann of Damballa provides an analysis of the botnet threats and the crimeware used by cybercriminals including banking trojans such as Zeus. Information about the attacks used toward the soft targets such as the user’s browser is dealt with including Man-in-The-Browser(MiTB)and Man In The Middle (MiTM) attacks. Examples on how these attacks techniques can be used for attacking banking customers are included as well as the protection strategies that banks can adopt for protecting from these attacks with specific emphasis on-line banking applications.

June Meeting

  • Presentation Title:Security of plugins compared to the main applications Dr James Walden, Assistant Professor Department of Computer Science at Northern Kentucky University

- The presentation can be downloaded from here Popular open source web applications have evolved into complex software ecosystems, consisting of a core maintained by a set of long term developers and a range of plugins developed by third parties. These plugins accomplish such tasks as adding forms to a content management system, connecting a blog with social networking systems, or even scanning for malware infecting the application. The security of such web applications depends as much on vulnerabilities found in plugins as it does in vulnerabilities in the application core. In this talk, we will examine the security of plugins and the impact of adding plugins to the security of those applications. We will look at empirical data, such as the number, types, and locations of vulnerabilities in these web applications, and examine how we can use such data to decide which applications to use and to decide how to focus our efforts security such applications.

May Meeting

  • Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications Clint Pollock, Senior Solutions Architect at Veracode

    Meeting Sponsor Veracode, Inc.

- The presentation can be downloaded from here With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; (1) Prevalence of backdoors and malicious code in third party attacks; (2) Definitions and classifications of backdoors and their impact on your applications; (3) Methods to identify, track and remediate these vulnerabilities

April Meeting

  • Measuring Your Proactive Security Efforts Cassio Goldschmidt Senior Manager Symantec Corporation.

- The presentation can be downloaded from here Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress. Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this pragmatic presentation we’ll discuss metrics used at Symantec, the world’s largest security ISV, to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally and how the numbers compare with the competition

March Meeting

  • Thick Client Application (In)Security Mr. Neelay S Shah Senior Software Security Consultant Foundstone Professional Services, A Division of McAfee Strategic Security

- The presentation can be downloaded from here Applications are becoming richer in terms of their user interface, attempting to leave a lasting impression on the users and wanting them to come back for more. Applications these days expose various ways for the user to interact with the application to create a “rich” application experience for the user. Thick client applications are the preferred choice to guarantee the above principles since they can leverage existing robust frameworks such as JAVA and .NET to create a rich user interface and are not limited by the browsers’ (in)ability to render the user interface elements. However with the increased sophistication, comes increased complexity and hence it is not uncommon to find client applications that are not only serving as the “presentation” tier but also potentially comprise of business logic to a varied extent. Security testing for thick client applications is a fairly involved and specialized task as compared to security testing web applications since each thick client is custom designed and developed for the application at hand. As such security testing each thick client application potentially involves dealing with different technologies and communication protocols and hence necessitates the use of different approaches. Attendees will learn the different strategies and methods that can be used for successfully testing thick client applications. We will discuss the different techniques to be able to bypass client side checks including methods for successfully understanding and intercepting client – server network communication. We will also evaluate the above mentioned techniques at depth in terms of their advantages, disadvantage and when to use the particular technique. This talk is intended for application testers, developers, project managers and application security professionals.

February Meeting

  • Modern Application Testing Methodologies, Mr. Mark Maxey Principal Consultant Accuvant

    Meeting Sponsor https://www.owasp.org/images/d/dc/Accuvant.jpg   

- This talk will give an overview of contemporary application testing methodologies and tools. A comparison of the various methodologies will be provided in conjunction with the results of an in depth analysis of the various methodologies when paired against real world applications.

January Meeting

  • Microsoft Security Development Lifecycle Tools Russell McMahon, Associate Professor of IT at the College of Applied Science, University of Cincinnati.

- The presentation can be downloaded from here This talk will focus on the tools that Microsoft has developed for aiding in creating more secure applications. Microsoft developed the SDL system back in 2004 and it has begun to mature, but it still has a way to go. They have incorporated their Threat Analysis Modeling (TAM) tool into their SDL system and now call it SDL-Line of Business (LOB) tool. This talk will also look at some of the other systems that exist for developing secure applications

2009 Presentations

November Meeting

  • Virtual Patching for Web Applications: Theory and Practice Ryan Barnett, Director of Application Security Research, Breach Security Inc

- Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application’s source code and are at the vendor’s mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called “just-in-time patching” and “virtual patching”) is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes. This presentation will outline exactly when and where Virtual Patching is appropriate and will show the proper steps for their creation and testing.

October Meeting

  • Threat analysis as methodology for deriving risk-based security tests of web application software Marco Morana OWASP Chapter Lead (presented at 2009 IMI Security Symposium & Expo)

- The presentationcan be downloaded from here The risk that a web application might incur in a security incident such a major data breach depends on several risk factors such as the exposure into the public internet, the likelihood of being a target as well as the knowledge, tools and techniques available to the attacker to break into the application. In order to mitigate such risks, web applications are security tested with testing techniques such as penetration testing and secure code analysis. The aim of this presentation is first to introduce the audience to the basics of security testing such as the derivation of functional and non functional security requirements, the execution of security testing as part of the SDLC and as part of developers and tester workflows. The presentation will also cover the most used security testing techniques, OWASP testing guide, tools and vulnerability reporting and testing metrics. Often companies use security tests for meeting compliance requirements such as PCI-DSS, passing such security tests provides a level of application security assurance but in light of several data breaches occurring to organizations today it is logical to ask whether we can consider an application secure because security testing did not found any high and medium risk vulnerabilities. From the perspective of security testing, this status quo advocates the need to a new approach toward security testing: a risk based, threat driven approach. From the risk mitigation perspective, security tests need to validate mitigations against new attack techniques used by cybercriminals and fraudsters and focus on tests where the difficulty of the attack is the least and the impact is the highest. The presentation will provide examples of derivation of risk based security test cases using data from cyber-intelligence reports, attack tree analysis, attack vector analysis, security flaw analysis, use and misuse cases and application threat modeling/secure architecture analysis.

September Meeting

  • The rise of threat analysis and the fall of compliance in mitigating cybercrime risks Marco Morana OWASP Chapter Lead (also presented to OWASP LA and Orange County Chapters)

- On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: the theft of 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. This massive theft of credit card data happened despite Heartland Payment Systems and Hannaford Bros companies passed security audits in compliance with PCI-DSS standard. This fact, let to question the effectiveness of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards in reducing the likelihood of data breaches, identity theft, and the credit card fraud. This presentation will further analyze the impact of these data breaches by monetizing the losses as being reported in quarterly earnings reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of the incident. It is shown as monetizing the loss due to data breaches helps to frame non-compliance risks as a factor of business impact to mitigate non compliance fines. Traditional compliance and audit driven security assessments efforts are compared with a threat analysis approach: it is demonstrated that cybercrime risks require organizations to move beyond audit and compliance. Moving beyond means understanding complex threat scenarios and study attacks in the wild with cyber-intelligence. Cases of publicly reported cybercrime attacks are used to outline the new threat landscape and the attack scenarios. The attacker motives and the means to achieve them will be analyzed by using attack trees:an attack tree can be used to analyze cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of multi-factor authentication against attacks such as MiTM (Man In The Middle). Examples of attack vectors for testing defenses against cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to identify the entry points for attack vectors, the user access levels that can be exploited and to enumerate threats, attacks, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated as strategy to build countermeasures using security by design architecture principles. Finally, risk mitigation strategies will be discussed as self-awareness questions. The presentation re-affirms that audit and compliance needs to be approached as factor of minimum business risk mitigation. A cybercrime risk mitigation strategy needs to considerapplication threat modeling as critical assessment for high risk web applications.

August Meeting

  • OWASP T10 For Web Services Marco Morana OWASP Chapter Lead

- The presentation is available herein Following the video presentation from Gunnar Peterson talk at OWASP USA NYC 08 AppSec Conference a summary of OWASP T10 Vulnerabilities for Web Services is highlighted as well as the recommended countermeasures. Discussion points around Web Services security were proposed for discussion as well further reference to OWASP Web Services Security resources.

July Meeting

  • An Empirical Study of Web Application Security Trends Dr. James Walden Assistant Professor Department of Computer Science Northern Kentucky University

- What is the current state of web application security? Are web applications more or less secure than they were last year? This presentation will attempt to answer those questions through an empirical study of popular open source web applications over the past two years. Data and statistics on vulnerability density, vulnerability types, and vulnerability severity will be analyzed, along with software metrics that may reflect application security.

June Meeting

  • The Web Hacking Incidents Database (WHID) – 2009 Analysis Ryan Barnett -Breach Security Inc

    Meeting Sponsor https://www.owasp.org/images/9/9c/Breach_logo.gif   

- The presentation is available herein The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This presentation will highlight the statistics gathered from the 1st half of 2009 (January – June) and provide insight into categories such as: 1) Top Attack Methods, 2) Top Compromise Outcomes, 3) Top Target Geographic Region, 4) Top Vertical Markets Hit. The presenter will also provide some in-depth analysis for emerging threats/attack techniques such as planting of malware on websites and reflected cross-site scripting through sql injection.

May Meeting

  • OWASP T10 Vulnerabilities and Security Design Flaws Root Causes Marco Morana OWASP Chapter Lead

- The presentation is available herein. The fact that security flaws are still so pervasive in web applications today highlights the need to identify and fix them by looking at the root causes in the application architecture. This presentation will look at OWASP T10 vulnerabilities from the perspective of root causes in design and provide examples on how these vulnerabilities can be identified in a threat model and mitigated at different layers of the application architecture. Strategic and tactical approaches to the OWASP T10 will be discussed. The strategic approach will cover concepts and principles of security by design such as secure architecture principles and requirements for designing security controls. The OWASP Application Threat Modeling process is provided as reference even if not discussed with this presentation.

April Meeting

  • April 28th Presentation: Bad Cocktail: Application Security Flaws

- The presentation is available herein. Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies…and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a “hackers” repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result - hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.

March Meeting

  • March 24th Presentation: Application Testing Methods and Modern Threats Presenter: Mark Maxey Principal Consultant – Application Specialist – Accuvant, Inc

- Walk through the state of the available tools and around finding vulnerabilities, and tie the discussion into PCI DSS

January Meeting

  • Threat Analysis and Modeling Russell McMahon, associate professor of IT at the College of Applied Science, University of Cincinnati.

- Security is a big issue and all too often it is only thought of as it applies to the network administrator. However, programmers face a host of threats to their applications. The solution is to build a threat model. The purpose of a threat model is to aid in identifying potential threats before a system is built, not after. This talk will cover some of the common threats to applications and how to prevent them. This talk is based upon Microsoft’s Threat Analysis and Modeling (TAM) tool and their newest version which is now part of their Security Development Lifecycle (SDL). This tool has been used by companies such as Ford and Boeing as a part of their total information life cycle process. Additional resources will also be discussed.

2008 Presentations

November Meeting

- The presentation is available herein. How safe are your web applications? You’ll think twice after seeing how Foundstone security experts dig into their hacker’s toolbox and rip open web applications by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery. Even if you’ve seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Countermeasures to prevent mistakes will then be shared.

October Meeting

- The presentation is available herein. The presentation covered the current trends in phishing and how to establish countermeasures both from an infrastructure perspective, an application development perspective and the user awareness training.

September Meeting

  • Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana (TISO Citigroup) & Scott Nusbaum (Security Analyst Citigroup)

- The presentation is available herein.

- Input validation vulnerabilities in web applications can be exploited with attack vectors to cause business impacts such as information disclosure, data alteration and destruction, denial or degradation of service, financial loss fraud and reputation brand damage. Several web applications today have implemented filtering techniques to block such attack vectors; unfortunately such filtering techniques are seldom based on black lists that fail when attackers use filter evasion techniques such as single and double encoding. This presentation will cover the basic understanding of attack vectors, the malicious payloads that can be carried out and the techniques used by attackers to evade input validation filters. Lists of different variations of encoded XSS attack vectors and constructed SQL injection vectors will be presented. From the defensive perspective, these lists can be used as cheat sheets for testing the efficacy of the input filtering techniques. A demonstration of a sample implementation of effective input validation using J2EE struts framework is also presented. During the presentation, web application developers and architects will be introduced to the concepts of canonicalization, encoding and sanitization and guided on the most effective input validation strategies and techniques as well as on the best use of available input validation resources from OWASP.

August Meeting

  • The OWASP Enterprise Security API (ESAPI) Joe Combs, Staff Consultant, SEI-Cincinnati LLC

- The presentation is available herein.

- Security controls are central to developing secure applications, yet few development teams code them properly (if they code them at all!). The OWASP Enterprise Security API (ESAPI) provides a set of well defined interfaces for doing security “right” within your application and provides a reference implementation of these interfaces. ESAPI handles difficult tasks such as validation, encoding, encryption, and more. This presentation will provide a guided tour of ESAPI capabilities and recommended usage to combat the most pernicious vulnerabilities.

July Meeting

  • Building Security Into Applications - Marco M. Morana, TISO Citigroup

- The presentation is available herein.

- What is the best way to start a software security initiative within your organization? First you need to present the business case to the management in terms of costs, threats and root causes. Subsequently you need to provide a roadmap. The first step of the roadmap is to evaluate the maturity of secure software development processes, tools and training. The next step is to adopt a framework for software security activities, software development and risk management processes: software security enhanced process models such as MS SDL, OWASP CLASP and Cigital TP are examples of security engineering frameworks that can be used. Software security activities such as threat modeling, secure code reviews and security testing work as checkpoints to validate software artifacts and manage software security risks. Finally data such as vulnerability metrics and process management metrics helps to manage and optimize the software security processes in the long term and show the effectiveness of the software security initiative to the organization.

June Meeting

- The presentation is available herein.

- Hackers use injection attacks to bypass firewalls and take control of web applications so that they can grab sensitive data or use the site to distribute malware to users. While the most common type of this attack is SQL injection, injection attacks can target any interpreter used by the web application, including ASP, LDAP, PHP, shells, SMTP, SOAP, and XPath. This talk will demonstrate step by step how injection attacks work and show how to eliminate injection vulnerabilities with secure programming techniques.

May Meeting

  • Cross Site Request Forgery Vulnerability In Depth Dive In - Marco M. Morana, Technologist/Author, TISO Citigroup

- The presentation is available herein.

- CSRF vulnerabilities can be exploited to perform un-authorized transactions on behalf of a logged in user by exploiting the trust between the browser session and the web application. Such un-authorized transactions include transfer of funds in an on-line banking application, denial of service through forced logout, data tampering and information disclosure as well as un-authorized access. The in-depth session will cover how and where CSRF happen, how can be identified (e.g. tested for) and prevented with the adoption of effective countermeasures. OWASP documentation will be covered in detail as well as CSRF tools such as CSRF guard

April Meeting

- Major Bruce C. Jenkins, (USAF, Ret.)- Security Practice Director at Fortify Software Inc.

    Meeting Sponsor http://www.owasp.org/images/4/4b/Fortify_1.jpg     

- The revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. Learn the shocking exposure of IT systems and how to address the changes.

March Meeting

  • Source Code Reviews and Open Source Static Analysis Tools - Allison Shubert, Security Specialist, Citigroup

- Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

  • An Introduction to Web Proxies - Blaine Wilson, Technology Information Security Officer, Citigroup

- Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

February Meeting

  • OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective - Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)

- The presentation is available herein.

- Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

January Meeting

  • Introduction to OWASP- Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)