Wiki.owasp.org

← Older revision

Revision as of 02:54, 14 August 2014

(2 intermediate revisions by one user not shown)

Line 15:

Line 15:

= Next Meeting =

= Next Meeting =

−

''September 17, 6:30 pm

+

'
''September 17, 6:30 pm

'''Title:''' End Point Protections for OWASP Top 10 Attacks

'''Title:''' End Point Protections for OWASP Top 10 Attacks

Line 26:

Line 26:

== Location ==

== Location ==

−

Swipely
Headquarters

+

Swipely

−

+

10 Dorrance St.
, 9th Floor

−

10 Dorrance St.
<--- New Location!!

+

−

+

Providence, RI

Providence, RI

Line 35:

Line 33:

= Past Meetings =

= Past Meetings =

−

'''August 13, 6:30 pm

+

'''August 13,
2014
6:30 pm

'''Title:''' How a Hacker Views Your Web Site

'''Title:''' How a Hacker Views Your Web Site

Line 41:

Line 39:

−

'''July 16, 6:30 pm

+

'''July 16,
2014
6:30 pm

'''Title:''' Point-of-Sale Malware

'''Title:''' Point-of-Sale Malware

Line 63:

Line 61:

<p>'''Speaker:''' John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he's not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request</p>

<p>'''Speaker:''' John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he's not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request</p>

−

'''April 16, 6:30 pm

+

'''April 16,
2014
6:30 pm

'''Title:''' [https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project OWASP Broken Web Applications (BWA) Project]

'''Title:''' [https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project OWASP Broken Web Applications (BWA) Project]

Line 80:

Line 78:

<p>'''Speaker:''' Mordecai Kraushar is Director of Audit for CipherTechs, a security solutions company based in New York City. He leads an OWASP project called Vicnum, (it is part of the OWASPBWA project)  which demonstrates vulnerabilities such as cross-site scripting, SQL injections and session management issues that are helpful to IT auditors developing  web security skills.  This application has also been used in multiple 'capture the flag' challenges including the Breaking Bad CTF at AppSecUSA in New York this past November.</p>

<p>'''Speaker:''' Mordecai Kraushar is Director of Audit for CipherTechs, a security solutions company based in New York City. He leads an OWASP project called Vicnum, (it is part of the OWASPBWA project)  which demonstrates vulnerabilities such as cross-site scripting, SQL injections and session management issues that are helpful to IT auditors developing  web security skills.  This application has also been used in multiple 'capture the flag' challenges including the Breaking Bad CTF at AppSecUSA in New York this past November.</p>

−

'''March 19, 6:30 pm

+

'''March 19,
2014
6:30 pm

Ben Brown, Akamai Technologies

Ben Brown, Akamai Technologies

Line 92:

Line 90:

Speaker bio: Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in Non-profit, Academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.

Speaker bio: Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in Non-profit, Academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.

−

'''February 12, 5:45 pm

+

'''February 12,
2014
5:45 pm

Preventing XSS with CSP

Preventing XSS with CSP

Cross-Site Scripting is one of the most pervasive web application security flaws, and one attackers frequently target for attack. While the best line of defense for Cross-Site Scripting is defensively programming with proper input validation and context-sensitive output encoding, Content-Security Policy is quickly becoming a very effective mitigation strategy to protect sites' visitors and to warn application developers of potential attacks. This talk will cover content injection (including Cross-Site Scripting) and how Content-Security Policy mitigates many of the associated risks.

Cross-Site Scripting is one of the most pervasive web application security flaws, and one attackers frequently target for attack. While the best line of defense for Cross-Site Scripting is defensively programming with proper input validation and context-sensitive output encoding, Content-Security Policy is quickly becoming a very effective mitigation strategy to protect sites' visitors and to warn application developers of potential attacks. This talk will cover content injection (including Cross-Site Scripting) and how Content-Security Policy mitigates many of the associated risks.

Line 98:

Line 96:

Will Stranathan is an application security professional in the Charlotte, North Carolina area. He's been writing rotten code for 32 years, and has spent the last ten years breaking rotten applications, analyzing rotten code, and writing rotten code which helps the world's best programmers identify their own rotten code, and training developers how to write code that's not so rotten.

Will Stranathan is an application security professional in the Charlotte, North Carolina area. He's been writing rotten code for 32 years, and has spent the last ten years breaking rotten applications, analyzing rotten code, and writing rotten code which helps the world's best programmers identify their own rotten code, and training developers how to write code that's not so rotten.

−

'''November 25, 5:45 pm

+

'''November 25,
2013
5:45 pm

Unmasking DDoS Protected Web Sites<br />

Unmasking DDoS Protected Web Sites<br />

Line 105:

Line 103:

Laptop with a WiFi connection, Kali Linux installed with Perl, Wireshark and ability to run as root. Please also have an email address where you are able to view the mail headers. Lastly, it would be helpful if you do have access to your own web server, though this one is not a requirement to participate.</p>

Laptop with a WiFi connection, Kali Linux installed with Perl, Wireshark and ability to run as root. Please also have an email address where you are able to view the mail headers. Lastly, it would be helpful if you do have access to your own web server, though this one is not a requirement to participate.</p>

−

'''September 23, 5:45 pm

+

'''September 23,
2013
5:45 pm

JavaScript Verification: From Browsers to Pages<br />

JavaScript Verification: From Browsers to Pages<br />

<p>Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer.  This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser.  I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions.  I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.</p>

<p>Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer.  This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser.  I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions.  I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.</p>

−

'''Monday, April 15, 5:45 pm

+

'''Monday, April 15,
2013
5:45 pm

Evolving WAS - Taking remediation to the next level<br>

Evolving WAS - Taking remediation to the next level<br>

Line 116:

Line 114:

−

'''Monday March 4, 5:45 pm

+

'''Monday March 4,
2013
5:45 pm

Hands-on Hacking<br>

Hands-on Hacking<br>

Line 126:

Line 124:

<p>Please bring your own laptop to be involved with the lessons. As always, we are demonstrating these techniques to help developers think like the attackers and so we can better understand the vectors and better understand how to protect our sites and code. OWASP, the organizers and sponsors do not condone illegal activity.  We also remind you to never use these techniques against a site or network that you either do not own or do not have explicit, written permission to perform them on. In other words, don't blame us if you get arrested.</p>

<p>Please bring your own laptop to be involved with the lessons. As always, we are demonstrating these techniques to help developers think like the attackers and so we can better understand the vectors and better understand how to protect our sites and code. OWASP, the organizers and sponsors do not condone illegal activity.  We also remind you to never use these techniques against a site or network that you either do not own or do not have explicit, written permission to perform them on. In other words, don't blame us if you get arrested.</p>

−

'''Wednesday November 7, 5:45 pm'''

+

'''Wednesday November 7,
2012
5:45 pm'''

PCI in the Cloud<br>

PCI in the Cloud<br>

<p>Interested in cloud security and compliance?  Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort.  At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank.  Learn how a startup can achieve Level 1 PCI Compliance through isolation, technology selection, and aggressive automation, all while promoting a security-conscious and agile engineering culture.</p>

<p>Interested in cloud security and compliance?  Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort.  At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank.  Learn how a startup can achieve Level 1 PCI Compliance through isolation, technology selection, and aggressive automation, all while promoting a security-conscious and agile engineering culture.</p>

Line 132:

Line 130:

200 Dyer Street, Providence, RI

200 Dyer Street, Providence, RI

−

'''Tuesday October 9, 6:45 pm'''

+

'''Tuesday October 9,
2012
6:45 pm'''

'''The Evolution of the Information Security Management Function'''<br />

'''The Evolution of the Information Security Management Function'''<br />

Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rules.  In this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.<br />

Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rules.  In this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.<br />

David Sherry, CISO, Brown University<br>

David Sherry, CISO, Brown University<br>

−

'''Tuesday September 18, 6:45 pm'''

+

'''Tuesday September 18,
2012
6:45 pm'''

There is No Patch For Human Stupidity<br>

There is No Patch For Human Stupidity<br>

Darren will come and show us all the fun and foibles that come with the confidence game, also known as social engineering. Learn how to look out for people just trying to get information from you and steal all your secrets. Outsmart the smart people by just saying no.<br>

Darren will come and show us all the fun and foibles that come with the confidence game, also known as social engineering. Learn how to look out for people just trying to get information from you and steal all your secrets. Outsmart the smart people by just saying no.<br>

Darren Wigley, NWN Corporation<br>

Darren Wigley, NWN Corporation<br>

−

'''Tuesday August 21, 6:45 pm'''

+

'''Tuesday August 21,
2012
6:45 pm'''

'''Finding All The Ninjas in the Forrest: Web Application Testing Strategies Revisited'''<br>

'''Finding All The Ninjas in the Forrest: Web Application Testing Strategies Revisited'''<br>

Have you ever wondered what you might miss if an organization had over

Have you ever wondered what you might miss if an organization had over

Line 154:

Line 152:

Paul Asadoorian - PaulDotCom (http://www.pauldotcom.com)<br>

Paul Asadoorian - PaulDotCom (http://www.pauldotcom.com)<br>

−

'''Tuesday July 17, 6:45 pm'''

+

'''Tuesday July 17,
2012
6:45 pm'''

Practical Malware Analysis 101

Practical Malware Analysis 101

Line 165:

Line 163:

[https://maps.google.com/maps?q=200+Dyer+Street,+Providence+ri&ie=UTF-8&hq=&hnear=0x89e44515a1d257ab:0xb73c2a45e92559d9,200+Dyer+St,+Providence,+RI+02903&gl=us&ei=FMrHT5jnPObN6QGlz7XRDw&oi=geocode_result&ved=0CAsQ8gEwAA|map]

[https://maps.google.com/maps?q=200+Dyer+Street,+Providence+ri&ie=UTF-8&hq=&hnear=0x89e44515a1d257ab:0xb73c2a45e92559d9,200+Dyer+St,+Providence,+RI+02903&gl=us&ei=FMrHT5jnPObN6QGlz7XRDw&oi=geocode_result&ved=0CAsQ8gEwAA|map]

−

'''Monday June 4, 6:45 pm'''

+

'''Monday June 4,
2012
6:45 pm'''

Our next meeting is Monday, June 4, 6:45 pm at Swipely's headquarters in Providence's Jewelry District. The address is 39 Pike St in Providence (Google maps shows the church, but that's not it). The building also faces Benefit Street, across from Al Forno and has a billboard on the roof, near the Shell station. Come in through the side entrance.

Our next meeting is Monday, June 4, 6:45 pm at Swipely's headquarters in Providence's Jewelry District. The address is 39 Pike St in Providence (Google maps shows the church, but that's not it). The building also faces Benefit Street, across from Al Forno and has a billboard on the roof, near the Shell station. Come in through the side entrance.