Kansas City June 2007 Meeting

The OWASP Kansas City chapter meeting in June 2007 was held from 6:30 to 8:30 pm on 6/13/2007. The location of the meeting was at the offices of FishNet Security at 1627 Main Street in Kansas City, MO.

Meeting Summary
Dave Ferguson of FishNet Security started the meeting with a welcome and overview of OWASP. Attendee Rohini Sulatycki briefly described the new OWASP AJAX project, for which she is the project leader. Next, Dave Ferguson announced that he would be stepping down as the OWASP Kansas City chapter leader due to the fact that he is relocating to the Dallas, TX area. A search for a new chapter leader will begin.

Our first speaker was Jake Reynolds from FishNet Security. Jake described more than a dozen different Firefox extensions that involve some aspect of web application security. Some, such as TamperData and Web Developer, provide useful functionality for auditing/assessing the security of an application. Others, such as HTTPOnly and NoScript, are specialized extensions that can keep you safer when surfing the Internet.

Following a break, Barry Archer from American Century Investments presented on the topic of web application firewalls. Specifically, Barry talked about his experience with evaluating mod_security for Apache and a particular commercial WAF product. Issues such as negative vs. positive security models, the importance of having a well-designed log format, and how to handle updates to an application were discussed. Barry also explained why you need to understand HTTP in order to properly "tune" a WAF.

Documents
[[Media:KC_June_2007_Firefox_as_AppSec_Tool.zip|Firefox as a Web Application Security Assessment Tool]] (ppt within a zip) [[Media:KC_June_2007_Evaluating_and_Tuning_WAFs.pdf|Evaluating and Tuning Web Application Firewalls]] (pdf)