Please join the NY and NJ OWASP Chapters as we hold our first meeting of 2014. We will spend some time reviewing the hugely successful AppSec USA 2013 event and discuss our plans for 2014.
We are actively looking for speakers for this meeting and the Call for Papers is now open. For more information on submitting a talk:
If you have any questions, would like to submit a talk, or host meeting, please contact Israel at israel.bryski (at) owasp (dot) org.
Looking forward to a great year! - the NY and NJ Chapter Leaders
• AppSec USA 2013 Review and Recap: NY and NJ Chapter Leaders
• Tony Dimichele, CISO at BNP Paribas: Review of BNPs AppSec Program
• The Exploit Development Process
Session Abstract: This WebAppSec presentation will introduce InfoSec managers, less technical AppSec security professionals and beginners to the process of examining code to write exploits. We will use the 2013 Wordpress URL redirect vulnerability (CVE[masked]) as a step-by-step case study and tutorial. The methodology presented may be generalized to other platforms as it is not web application specific. The presentation will contain a lot of pictures so that people of all skill levels may follow along to better understand the process as if they are sitting over the researcher's shoulder. Please note that it will not introduce advanced web app debugging techniques.
Kenneth F. Belva is the Publisher and Editor-in-Chief of bloginfosec.com. He currently works full-time in the financial services vertical at a multinational conglomerate. He conducts both technical and non-technical risk assessments focusing on web-based application security while helping deliver security solutions to the business units within his division.
At the OWASP AppSec2013 confrerence BugCrowd valided three of his 0-day vulnerabilities he found in Yahoo, Yandex and Angelist within the first two days of BugBash2013. He was previously on the board of the New York Metro Chapter of the Information Systems Security Association (ISSA) where he served in various capacities over the past 9 years. He has spoken and moderated at the United Nations as well as presented on AT&T’s Internet Security News Network (ISNN) on discovering unknown web application vulnerabilities as well as being interviewed on security enablement.
• AppSec at DevOps Speed and Portfolio Scale
Session Abstract: Application security programs often have difficulty scaling to large enterprise portfolios while maintaining speed, coverage, and accuracy. In this talk, John will discuss why the traditional approach to application security is rapidly becoming infeasible. Then he will share strategies for building a program that can deal with the realities of Agile and DevOps-style software development. In particular, John will discuss recent experiences using a variety of simple tools to perform continuous application security verification during the build and deployment process.
John leads Aspect’s Application Security Programs consulting practice which enables organizations to securely design, implement and maintain their information systems in a responsible, practical and sustainable way. As an IT professional for over 25 years, John has concentrated solely on IT security for the last 16 years. During his career he has held various leadership positions including Enterprise Security Architect and Application Security Program Manager. Some of John’s key accomplishments include the implementation of an enterprise-wide IT security program for a large financial services institution, the security design and implementation of an enterprise single sign-on and authorization system and the automation of security processes and tools into a continuous integration environment. John has designed and implemented secure architecture and supporting processes for some of the most critical and complex systems across industry sectors including Financial Services, Central Banking, Government Agencies, US Treasury, and Transportation. John holds dual degrees in Mathematics and Computer Science from West Chester University.
• Integrating Snort Alerts with Wireshark
Sorry for the late notice, the paint on the code isn't completely dry yet...
Session Abstract: This is a short, "rough cut" demo of a Wireshark plugin that pulls in snort alerts from a MySQL database.
Should find utility with red/blue teams and for those developing or learning to write Snort alerts.
Presenter: Jack Radigan, NJ side of the chapter.