Cleveland

Upcoming Meetings
''' The Next OWASP Cleveland Chapter Meeting is scheduled for Thursday, April 10th from 11:30am-2:00pm at Hyland Software! RSVP HERE

''' Join Us April 10th for Lunch, Networking, and our Featured Presentation:

'Information Disclosure: Looking Beyond Vulnerabilities to Freebies'

By: Bill Sempf (@sempf)

While the application security community is focused on tools that test for various vulnerabilities, your servers, developers and organization could be giving out valuable details that just makes an attacker's job so much easier - free information. No vulnerability scanner will find the Stack Overflow post with admin credentials, or the 'hidden' file with a test account, or that obscure error message that makes your database barf. Bill will take you through hands on testing that you can try today: finding out about what your applications, servers, networks, and people are telling attackers about your innermost secrets.

'Would you like to speak at an OWASP Cleveland Meeting?' If we haven't approached you, but you believe you have new research that the security community would enjoy hearing about, we invite you to submit your presentation topic for consideration.

This chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security.

To speak at upcoming OWASP Cleveland meeting or suggest a speaker, please submit your ideas via email to Courtney Satink - [mailto:csatink@securestate.com csatink@securestate.com]

Past Events:
Chris Clymer - Wednesday, January 8th from 11:00am - 2:00pm

Presentation: "Lessons Learned from HealthCare.gov - Integrating Security into Complex Software Deployments"

Video of January's Presentation, Lessons Learned from HealthCare.gov, is available HERE

Abstract: The recent problems with Healthcare.gov highlight the fact that many organizations still struggle to secure applications they develop. During this talk, SecureState will take an apolitical approach to looking at what lessons can be learned from the Healthcare.gov rollout and how these lessons can be applied to software you are developing. During this talk, SecureState will use firsthand experience gained from helping a state based health exchange become operational and compliant to the various federal security standards, as well as public information on the security challenges the national exchange faces.

Speaker Bios: Chris Clymer - As the Manager of SecureState’s Advisory Services practice, Chris Clymer works on the design and management of Security Programs as clients’ Security Program Manager (SPM). Chris’s core strengths of developing complex strategies and establishing specific priorities are keys to his ability to provide expert advisory leadership to clients looking to him for guidance. His expertise at defining objectives and conducting in-depth research also serves him well in this capacity. Chris questions frequently and thoroughly, initiates innovation, and improvises solutions – all valuable skills for leading our Advisory Services practice. Chris holds several industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT), and provisional ISO 27001 Auditor.

-

Matt Neely & Tom Eston - Monday, April 29th from 11:00am - 2:00pm

Presentation: "Threat Modeling - The First Step in Secure Application Development"

Video of April's Presentation, Threat Modeling - The First Step in Secure Application Development, is available HERE

Abstract: Application security issues continue to be a growing concern for businesses large and small. In fact, many people would be surprised to find that some of the most popular mobile apps downloaded are vulnerable to issues found in the OWASP Mobile Top 10 list of common vulnerabilities.

To address these issues security needs to be integrated into the software development life cycle (SDLC) used by the developers. When developing an application in a secure manner threat modeling is an important but often forgotten first step.

This talk will start out an overview of where to integrate security into the SDLC process. The remainder of the talk will focus on the threat modeling portion of the SecSDLC. During this stage the OWASP Mobile Threat Model will be introduced. To provide real world examples vulnerabilities found in many of the top 25 downloaded apps found in the Apple App Store and Google Play will be covered.

Speaker Bios: Matt Neely is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm. At SecureState Matt leads the Research and Innovation team which focuses on imagining, researching and developing methodologies and tools that will solve industry related issues. In addition to Matt’s technical background, his strong understanding of business processes and organizational structure allow him to meet the security needs of the business world. Matt is a regular speaker at various business and security user groups and conferences including Black Hat, Defcon, THOTCON and ShmooCon. Matt recently published the book Radio Reconnaissance in Penetration Testing.

Tom Eston is the manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile applications. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, SANS Mentor, co-host of the Social Media Security podcast, and is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, Notacon, SANS, OWASP AppSec, and ShmooCon.

-

Joe Kuemerle - Tuesday, December 18th from Noon – 2 p.m.

Presentation: Reverse Engineering .NET and Java

Abstract: Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. Enjoy a demo filled session on how easy it is to extract information from virtually any .NET or Java application.

Speaker Bio: Kuemerle is a developer and speaker in the Cleveland, OH area specializing in .NET development, security, data base and application lifecycle topics. He is currently a Lead Developer at BookingBuilder Technologies and is active in the technical community as well as a speaker at local, regional and national events.

-

Kevin Johnson - Tuesday, March 22nd Noon – 2pm

Presentation:“Ninja Developers: Application Security Testing and Your SDLC.”'''

Abstract: The security of enterprise software is one of the key risks organizations can start to control today. As new applications are developed and legacy software is updated, incorporating a measure of security testing can be one of the most critical ways to positively impact an organizations security posture. To properly validate the security of enterprise applications a 3rd party penetration test or assessment may be enlisted - but the cost of testing each application quickly makes this impractical. This situation presents a challenging problem.

Kevin Johnson will explain how your development staff can incorporate techniques distilled from years of experience into your organization's development and release methodology. Whether you're using Agile, RUP or Google programming, these tips and tricks will enable your developers to produce higher quality, more secure code right from the start. Kevin will reveal some of the secrets of the masters learned from experience and industry leadership over the past decade - and show you how you can insert security into your software development lifecycle with minimal disruption and maximum effectiveness.

Speaker Bio: Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking.

-

Chapter Meetings
To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Our chapter is sponsored by SecureState.

Cleveland OWASP Chapter Leaders
The chapter leader is [mailto:kstasiak@securestate.com Ken Stasiak]