OWASP Hartford, CT

Welcome

Most of our chapter event coordination is done via meetup. Link to Meetup

Local News

OWASP CT Chapter Planning (Virtual) 4/9

Get together to kick off 2021 planning activities

OWASP CT @ Queens High School for the Sciences at York College 3/12

Day in the Life of a Computer Security Professional - We get high school students excited about computer security, and what it’s like to be a builder, breaker, defender.

Agenda:

• What people think we do
• What we actually do
• How I got here; my path to computer security
• College
• Penetration Testing
• Cybersecurity careers
• Job skills
• Computer Science not required
• The cybersecurity pipeline problem: you’re the solution!

(Virtual) Multiday Secure Code Tournament in May Date/Time: 5/21/20-5/26/20 We’re planning on a multi-day virtual meetup in early May secure coding tournament! Start Date is Thu, 05/21/20. The competition will take place over 5 days, so you will be able to join the tournament at your convenience. Feel free to share the meetup with your friends, peers, and others you think might be interested in. We will send out multiple communications to those attendees regarding how to register.

Compete against fellow security peers, universities, and OWASP chatpers to identify & fix critical vulnerabilities in real-to-life code snippets! 21 frameworks available to play challenges in. Including .Net, Java, Python, Go, Angular, Node, React, iOS, Android, Scala, Ruby, PHP, C++, C, PL/SQL & COBOL!

Tournament Step by Step Guide: Link to tournament guide Prizes:

• 1st place earns the secure coding trophy!
• 2nd = Secure Code Warrior hoodie
• 3rd & 4th = Secure Code Warrior t-shirt

Instructions for playing: 1) Sign up for the meetup if you and your friends are interested in the tournament.

2) Register at: [link to scw registratino] (http://discover.securecodewarrior.com/OWASPHartford-tournament.html) 2) Once available and logged in: click “Tournaments” 3) Join the OWASP Hartford Secure Coding Tournament

Monitor the live leaderboard to see how you’re performing! The Secure Code Warrior platform will be open before and after the tournament, so feel free to practice in the “Training” tab.

Security Workshop at UCONN CyberSEED Date/Time: 10/19/19

OWASP is partnering with Synchrony Financial and UCONN to host a workshop during UCONN CyberSEED this year.

Updated Agenda:

CyberSEED ’19 Workshop Agenda Not on a Capture the Flag team, but interested in cybersecurity awareness, education, secure software? Join our workshop with panel discussions.

Invited participants: • Dr. Laurent Michel, Computer Science (UConn) • George Smirnoff, CISO (Synchrony) • Gleb Reznik, Deputy CISO (Synchrony) • Toby Lin, Cofounder (Cyber Skyline) • Neil Sanyal, PMO Program Director InfoSec (Synchrony) • Mark Underwood, Moderator (Information Security Innovation, Synchrony) • Alvin Fong, OWASP CT Co-Lead • James McGovern (Gartner) • Pamela Gupta (OutSecure. Organizer of Northeast Annual Summit 2019)

09:00 – 09:30 Synchrony CISO George Smirnoff Kickoff address

09:30 – 12:00 Session 1 • Assessment of information Security awareness. state of affairs in 2019 • Messaging for socialization, collaboration with education and research • Regional cybersecurity collaboration opportunities • The needs: What we’re getting right, and where are the gaps? • Consideration of NIST NICE as a skills roadmap • Role of gamification: issues with tools embedding, emerging threats vs. Old Favorites

12:00 – 13:30 Lunch

13:30 – 16:30 Session 2 • Integration of agile development with Information Security • DevSecOps and Automation • Simulation and CyberRange: current practice, future platform needs • Future Information Security Challenges o AI as InfoSec enabler / AI as InfoSec adversary o Challenges of the Software-defined data center o Open Source Security, Supply Chain Risk Management o InfoSec Tooling and the challenge of hyper-specialization

Address: 626 Gilbert Road Ext. Storrs, CT 06269

Continuing Professional Education (CPE) For ISC2 (CISSP +) and ISACA (CRISC +) certificate holders, a certificate of participation will be offered if you attend. CPE is typically accepted by certifiers for events of this type. CTF play is optional, but not required.

Parking: The South Garage (paid parking) is within a 5-minute walk, for those who are driving.

More About CyberSEED 2019 The theme for the Synchrony’s Cybersecurity Awareness Month this year is “Own. Secure. Update.” Synchrony, UConn and the backers of the associated National Cybersecurity Awareness initiative have decided upon a strategic focus that emphasizes personal responsibility over specific technologies. Part of the reason: many small businesses have little or no investment in cybersecurity. According to a Juniper Research 2018, the typical small business invests less than $500/year in cybersecurity. This is true despite an 11% increase in security breaches over the past year, and a five year increase of 67%.

Indeed, executives and owners in small to medium size businesses (SMB’s) need to become more involved. Increased cybersecurity investment is an important step, but it won’t be enough. In an increasingly automated, software-driven, risk-rich landscape, cybersecurity awareness must be extended to home computer users and employees in SMB’s in order to move the safety needle.

“Small and medium sized businesses are increasingly on the front line of this battle,” Synchrony’s CISO George Smirnoff said recently. “Whether they are aware, or just underfunded in the cybersecurity realm is unclear, but we need to do what we can to help them. Not doing so creates widespread risks for all – even the best-defended among us.”

DevOps vs. the “Security People” Date/Time: Friday, 6/21/19 1-3pm

Location: Travelers CRM-1, 45 Central Row, Hartford, CT 06103

Agenda:

1pm: ”DevOps vs “Security People”

In 2019, surveys are saying that 90% of Fortune 500 plan on using containers and things like Kubernetes, yet there’s still a divide between what “security people” see that containers provide and what DevOps teams see. Kubernetes has become the defacto standard for production container deployments and there are 98 different options (as of February 2019) for hosted Kubernetes clouds. In many cases a Kubernetes threat model becomes compromised either by accident or by alibi and even if you wanted to harden your environment, there’s little guidance. Is there truly such a thing as a Kubernetes best practice? How can Kubernetes handle multiple tenants in a cluster? Do hosted Kubernetes services provide enough security for your work load? This talk will explore Kubernetes’ known attack vectors, defenses, and see how we can bridge the silos between security engineers and developers to help in the future.

2pm: panel / chapter meeting TBD

3pm: networking

Speaker: Mark Manning is a Principal Security Consultant with NCC Group and a lead in their Container Practice. He focuses on container technologies, Linux kernel security, and application security, in general. He has performed penetration tests to breakout from containers, delivered architecture reviews of devops environments, and worked with developers on various container and orchestration technologies such as Docker, Kubernetes, Mesos/Marathon, as well as Rancher. Mark currently organizes Rochester 2600 has also organized BSidesROC from 2010 through 2018.

Parking info:

UNH CyberAgent Academy CTF planning Date/Time: 6/21/19

This is a planning session for the CTF that OWASP CT members are helping to build out for UNH’s CyberAgent Academy coming up on July 22 - July 27. Currently, we are looking at two CTF platforms, FacebookCTF and CTFd, to use for the summer camp.

Anyone that is willing to assist with play-testing, creating CTF challenges, operating the CTF is welcome to attend.

About: The high school GenCyber Agent Academy (incoming 9th-12th grade) at the University of New Haven, hosted by the Tagliatela College of Engineering, is a unique, rigorous, student-centric summer camp with an enriching hands-on experiential learning environment. It is the first GenCyber camp in Connecticut and is open to 20 male and 20 female applicants. Cyber Agents accepted to this academy will enjoy a Cyber Career Catapult session where they will learn about educational and career opportunities in cybersecurity.

The camp offers the following courses (a) Python (b) Cyber Forensics (c) Hacking Concepts (d) IoT & Mobile and (e) Network Defense. Cyber Agents will also have unique experiences where they would tour the UNH Information Technology (IT) offices and server rooms, participate in a cyber Scavenger Hunt and compete in teams in a Cyber Challenge. The camp is a comprehensive one week, learner-centered, hands-on, intensive program designed not only to teach students about cybersecurity, but to also have a long term effect on their career goals and aspirations.

Fairfield U - Day in the Life of a CyberSecurity Professional Date/Time: 10/12/18 11AM-12PM

As part of our Academic initiative to partner with local colleges/universities, Fairfield University CISO Bill Reyor, has invited OWASP to Fairfield University this coming Friday Oct 12 @ 11am at the Fairfield University DiMenna-Nyselius Library on 5171, 1073 N Benson Rd, Fairfield, ct, 06824.

This session is oriented toward college students and new college graduates exploring computer security (“cybersecurity”) as a career path. We plan to discuss:

*The State of Computer Security Employment and need for diversity to solve tomorrow’s security challenges (It’s not all Computer Science)

*Profiles of Computer Security Career Paths

*The Day in the Life of a Security Professional, by your truly.

*The need for Business, Medical, and Technology undergraduates and graduates to work together as security becomes an increasingly interdisciplinary challenge

Call to action:

For area security professionals with open reqs for new/college-hires, please reach out in advance or connect me with your HR point of contact so that we can share opportunities with students that attend and are actively looking for local opportunities.

Agenda: Tuesday, April 3, 2018

2PM - 4PM

2-3pm: Yaxa (Startup security spotlight) - Kalpesh Sheth

*Introduction to Yaxa, part of Hartford’s InsurTech startup accelerator

*Emerging trends in cyber threat vectors

*Which tools people are using and what security vendors are doing?

*What is state of the art – when hackers are changing their TTPs?

*Why users are the weakest link and what to do about it?

3-4pm: OWASP CT Chapter Meeting (2018 community initiatives)

*Who’s hiring? Help

*What topics/challenges are security practitioners having and looking for assistance with?

*Community initiatives - What would folks like to see OWASP and local CT members doing?

*Cool vendors

*Blockchain Security Thinking

4pm: Networking / HH

City Steam Brewery

942 Main St, Hartford, CT 06103

Map: https://goo.gl/maps/ecN5G9BvjoK2

About Kalpesh Sheth:

With 20+ years of technical expertise in data networking, network security, Intelligence Surveillance and Reconnaissance (ISR), and Cluster Computing, Kalpesh Sheth has been an instrumental leader in the execution of several complex development projects from inception to deployment. Sheth has served as a founding team member and senior executive at several successful startups and large companies. Before co-founding Yaxa, Sheth was Senior Technical Director at DRS Technologies (acquired by Finmeccanica S.p.A.), Director at RiverDelta Networks (acquired by Motorola and now part of Arris) and fifth employee of Digital Technology (acquired by Agilent Technologies). He is a co-author of VITA 41.6 an ANSI standard, and has spoken at numerous trade conferences as an expert panel member. Sheth holds M.S. in Computer Science from Texas A\&M University, and an MBA from MIT Sloan School of Management.

What to bring

*Ideas for community-based 2018 initiatives

*Security questions you’re looking for help from other security pros in the area

Agenda: Saturday, Oct 7th 2017 9:00AM - 6:00PM OWASP @ BSidesCT: Accelerating & Pivoting your Security Career

Presentation: https://www.owasp.org/images/3/3b/OWASP_CT_bSides_100717.4_compressed.pdf

Video: https://www.youtube.com/watch?v=_gF1ZL0lcz4

James and I will be presenting on Accelerating and Pivoting your security career.

Title: Accelerating and Pivoting your Security Career

Abstract: This talk is for folks either trying to identify paths into the InfoSEC space, and for experienced security professionals trying to pivot and jump start alternative security career paths. We’ll map out different career paths and identify key skills for success, discuss how to build them, and resources you can take advantage of locally here in CT.

Agenda: Thursday, Jun 15th 2017 6:00PM - 9PM Wireless Security Workshop

Presentation: [** Wireless Security 101.pdf**](:File:OWASP_Wireless_Security_101.pdf "wikilink")

This session will take a departure from some of our recent OWASP sessions. The hosts at MakeHartford have generously offered their classroom space for this security lab session/workshop coming out of the OWASP pen-testing initiative group. Jon Williams will be presenting and demonstrating some fundamental wireless security concepts. Depending on time and if we get access to some COTS routers, we may also try to do some hands-on wireless security testing. Plan on bringing your laptop and spare wireless router if you can. This session is oriented toward folks looking to learn about wireless security and getting introduced to wireless security concepts for the first time.

Note: Due to the classroom size, we’re limiting this to the first 20 participants.

Agenda:

• Overview: Wireless security concepts
• Remote access, Local network - encrypted and unencrypted
• Wireless attacks:
• Rogue access point, MiTM, Session Hijacking, Radio monitoring, Session theft
• Review: Risks to remote workers
• Game time: defensive techniques
• Demonstration: Wireless Man-in-the-Middle and Rogue AP

About Jon Williams:

Jon Williams hails from Cheshire, CT, where he lives with his wife and daughter and works from home as Security Administrator for IGG Software. A taste for adventure has carried him far, from the islands of the Bahamas where he worked towards building an eco-hostel, to the deserts of Egypt where he taught children at environmental leadership camps, to the high seas where he circumscribed the globe in a steamship. His passion for technology led him into the security field, where he now spends an unhealthy proportion of his time trying to break computer systems so that others might improve them. He recently attained a CISSP certification and actively contributes to projects at OWASP Hartford

Agenda: Wednesday, Apr 26th 2017 6:30PM - 9PM OWASP @ MakeHartford Presentation: [** Hartford pen-test lab intiative 20170322.pdf**](:File:OWASP_Hartford_pen-test_lab_intiative_20170322.pdf "wikilink")

We’ve got a new team working on putting together a security / pen testing lab and security learning environment here in CT.  The goal is to have a place where we can create and share security and pen testing tips and tricks with our members, as well as using the lab as a means to bolster our outreach efforts to the colleges in the area.

We’re going to use this initial session to explore the MakeHartford space and start building up that lab. If you’re interested, we would love to see you at this session. Otherwise, shoot me an email and i’ll keep you posted on working group meetings moving forward.

Thanks to the current volunteer team and Steve Yanicke @MakeHartford:

• Dain Perkins 
• Darin Wilborne 
• Jon Williams 
• Kevin Tobin 
• Adam Haller 
• Cameron Morris

Agenda: Wednesday, Mar 29th 2017 6:30PM - 9PM OWASP UCONN Presentation: https://www.owasp.org/images/e/ef/Hartford-UCONN-March-2017.pdf

The next OWASP Hartford chapter meeting will be held at the ITE Building Room 301 on the University of Connecticut Campus in Storrs. We are conducting an interactive session with students of the cybersecurity club and will be inviting participation from students attending Law, Business and Medical schools for an enlightening discussion on Healthcare Information Security. As usual, this event is kid-friendly and OWASP-approved with a healthy dose of FREE TO ATTEND sprinkled on top.

Agenda: Thursday, Sep 29th 2016 2PM - 4PM Fraud Analytics **Presentation: [: Hartford - Exploring fraud analytics.pdf](:File:Owasp_Hartford_-_Exploring_fraud_analytics.pdf "wikilink")**

The next OWASP Hartford chapter meeting will focus on Fraud Analytics. James Ruotolo from SAS will be joining us to discuss fraud analytics methodologies, fraud patterns in insurance. There will also be a walkthrough of Visualization technologies, Risk Scoring, and Cybersecurity. 

Agenda: Exploring Fraud Analytics 1. Introduction a. Business analytics b. Example fraud analytics use cases 2. Fraud analytics methodology a. Detection techniques b. Data management considerations c. Deployment and operationalization 3. Case study: Fraud analytics in insurance a. Visualization technology b. Fraud risk scoring and alert triage c. Cybersecurity d. Example results 4. Q\&A About James Ruotolo: James Ruotolo is the product line leader for the fraud and security intelligence solution portfolio at SAS®. He is responsible for product management and marketing of fraud detection and compliance solutions for the banking, insurance, healthcare and government industries. Before joining SAS®, James was the Director of Strategic Operations for the special investigation unit of a large multi-line US insurance company where he was responsible for investigative analytics and intelligence operations. He has nearly two decades of investigation and fraud analytics experience. Connect with him on Twitter @jdruotolo

Agenda: Thursday, May 26th 2016 Industry Cyber Security Panel

Brian Bemis – Travelers - Director of Application Security and Public Key Infrastructure Brian’s area of focus includes Application security, penetration testing, network security, Secure SDLC, and certificates

Brian Heemsoth – Aetna – Director of Software and Mobile Security Brian Heemsoth is responsible for designing and implementing security solutions with a user experience focus, application security, mobile security and incident response.

Joe Niquette – UnitedHealth Group – Security Solutions Architect Joe’s involved in security research and development and passionate about rugged DevOps.

Ankur Singhal – the Hartford – Manager Application Security Ankur’s focus is web and mobile application security, security vulnerability management and remediation, Secure SDLC, PKI and cert management, Encryption at rest and most recently Security in DevOps

2:00 PM to 4:00 PM

This meeting will be held at Travelers, Hartford CT (Central Row Conference Room)

Agenda: Tuesday, February 9th 2016

Threat Modeling for Architects, Business Analysts and Quality Assurance Professionals’ Category Robert Hurlbut Independent software security consultant, architect and trainer Hurlbut Consulting Services 6:00 PM to 7:00 PM

Future Direction of Chapter James McGovern 7:00 PM to 7:30 PM

This meeting will be held at Travelers, Hartford CT (Central Row Conference Room)

Postponed Events

Agenda: Tuesday, April 16th 2013 Why We Need DevOps Now: A Fourteen Year Study Of High Performing IT Organizations Gene Kim - CTO of Tripwire This meeting will be held at Travelers in Downtown Hartford

Past Events

Agenda: Tuesday, May 27th 2014 OWASP Mobile Top Ten Risks 2014 – The New M10: ‘Lack of Binary Protection’ Category Senior Security Engineer at Arxan Technologies 5:00 PM to 6:00 PM

IDaaS (Cloud) Landscape - Why Companies are Shifting Strategies Toward Cloud-Based Identity Management vs. Traditional Security Methods? Tarek Khaled, Senior Security Engineer at Okta 6:00 PM to 7:00 PM

This meeting was held at Travelers, Hartford CT (Central Row Conference Room)

Agenda: Tuesday, October 22nd 2013 Mobile Security: Attacks and Defenses Gene Meltser, Technical Director, Neohapsis Labs 5:00 PM to 6:00 PM

An Application Pen Tester’s introduction to Android Internals Tom Palarz, Senior Security Consultant, Neohapsis Labs 6:00 PM to 7:00 PM This meeting was held at Travelers, Hartford CT (Central Row Conference Room)

Agenda: Tuesday, June 6th 2013 Building a Better Botnet Michael Smith, Akamai This meeting will be held at the Travelers in Hartford

Agenda: Tuesday, May 6th 2013 Web Services Security James McGovern, HP Enterprise Services This meeting was held at the ACORD LOMA Forum in Las Vegas

Agenda: Wednesday, April 24th 2013 Cloud and Identity George Dobbs, Enterprise Architect - MassMutual 8:30 AM to Noon This meeting was be held at IBM, 755 Main Street, Hartford CT (The Gold Building)

Agenda: Wednesday, October 24th 2012 International Institute of Business Analysts (IIBA) Joint Meeting James McGovern - Introduction to Security for Business Analysts This meeting was held at Chubb in Simsbury Agenda: Wednesday, September 26th 2012 Joint Meeting with OWASP Student Chapter Introduction to Network Security Anthony DAmato Agenda: Wednesday, May 23rd 2012 Introduction to SOA Security James McGovern Agenda: Tuesday, May 18th 2010 Joint Meeting with ISACA on the topic of auditing web applications Dmitry Zhdanov presentation is located here Mark Wireman presentation is located here James Ritche presentation is located here Mark Coderre presentation is located here Agenda: Thursday, December 3rd 2009

SOCIAL MEDIA, PRIVACY AND BREACHES Ian Glazer, Distinguished Industry Analyst Burton Group Powerpoint presentation is located here

VANISH: MAKING DATA DISAPPEAR George Dobbs, Chief Architect Knights of Columbus Powerpoint presentation is located here

Agenda: Tuesday, November 17th 2009

ATTACK YOUR DATABASE BEFORE OTHERS DO Todd Desantis, Lead Sales Engineer Sentrigo

Agenda: Tuesday, October 13th 2009

THE CONVERGENCE OF SECURITY AND PRIVACY: CLOUD COMPUTING Michael Waidner, Distinguished IBM Engineer and Security CTO IBM

Agenda: Monday, September 14th 2009

OWASP: WHERE WE ARE AND WHERE WE ARE GOING Tom Brennan, OWASP Board Member OWASP

WEB APPLICATION SECURITY ASSURANCE Gregory Gotta, SVP Security CA

Agenda: Wednesday, June 10th 2009

THE ANATOMY OF SECURITY DISASTERS Marcus Ranum, CSO of Tenable Security Powerpoint presentation is located here

Agenda: Tuesday, April 30th 2009

RECRUITING ELITE IT TALENT Jordan Haberfield (Agile Elephant), SVP of System One

DETECTING BACKDOORS IN WEB APPLICATIONS Chris Wysopal CTO, Veracode

Agenda: Monday, April 13th 2009

AGILE SOFTWARE DEVELOPMENT AND SECURITY: 4:00 - 6:45 PM Scott Ambler, Agile Practice Leader, IBM Powerpoint presentation is located here

Agenda: Tuesday, February 10th 2009

OPEN SOURCE IDENTITY SERVICES (The Higgins Project) Mary Ruddy, Meristic

ENABLING STRONGER/MULTI-FACTOR AUTHENTICATION FOR ENTERPRISE APPLICATIONS Ramesh Nagappan, Security Architect at Sun Microsystems

STATE OF WEB APPLICATION SECURITY Gunnar Peterson, CTO of Artec Group and Twin Cities OWASP

Agenda: Wednesday, November 11th 2008

LIGHTWEIGHT SECURITY USING IDENTITY-BASED ENCRYPTION: 6:00 - 7:00 PM Richard Eisenberg, Architect at Voltage Security

Agenda: Wednesday, September 24th 2008

TOP TEN BOGUS TECH QUOTES OF THE YEAR: 6:00 - 6:45 PM Paul Roberts, Industry Analyst, The 451 Group Powerpoint presentation is located here

MAKING APPLICATIONS SECURE BY REMOVING SECURITY: 6:45 - 7:30 PM Andrew Stone, Senior Manager, Accenture Powerpoint presentation is located here

Agenda: Wednesday, June 11th 2008

CARDSPACE AND USER CENTRIC IDENTITY Chris Winn, Security Evangelist, Microsoft

IDENTITY GOVERNANCE FRAMEWORK Prateek Mishra, Product Manager, Oracle Powerpoint Presentation is here

Agenda: Wednesday, April 30th 2008

THE IDIOTS GUIDE TO DEVELOPING BAD ENTERPRISE APPLICATIONS AND WORST LOGGING PRACTICES Anton Chuvakin, Chief Logging Evangelist, LogLogic

KEEPING SECRETS: APPLICATION SECURITY IS A BUSINESS IMPERATIVE Jack Danahy, CTO and Founder, Ounce Labs

Agenda: Thursday, February 28th 2008

HOW WEB 2.0 HAS CHANGED THE LANDSCAPE OF APPLICATION SECURITY Chenxi Wang, Principal Analyst, Forrester Research

EXPLOITING ONLINE GAMES Gary McGraw, CTO, Cigital