Skip to content

Details

Meeting Topic 1) Exploiting the Tiredful API
Speaker 1) Matt Scheurer
https://twitter.com/c3rkah

Abstract:

The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).

Meeting Topic 2) Common Developer Crypto Mistakes (with illustrations in Java)

Speaker 2) Kevin Wall
https://twitter.com/KevinWWall

Abstract:

During the past 9 years, Kevin has examined how cryptography has been used in 300+ different projects from a security risk perspective. This includes 85+ design reviews as well as over 220 secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies. That includes both proprietary code of these 2 companies, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 8 year window and briefly describes how to correct them.

Speaker Bio:

Kevin Wall has been involved in application security for almost the past 20 years, but he still considers himself a developer first and an AppSec engineer second. During most of past 20 years, Kevin has specialized in applied cryptography and web AppSec. Before transitioning to AppSec, Kevin spent 17 years at (now Nokia, then AT&T) Bell Labs doing mostly systems programming. He left Bell Labs as a DMTS in 1996 to become an independent consultant in C++ and Java.

Kevin became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, he somehow found himself "elected" as co-project lead of ESAPI in 2011. He also spent from 2000-2007 as an adjunct faculty member on the Franklin University CS staff where he taught Distributed Operating Systems and Computer Security. Kevin has been working on the Wells Fargo Secure Code Review team for just over of 3 years; he figures it is about as close to code as any company will let him get, which is why he stays active in the development of ESAPI.

When Kevin is not around code or writing about himself in third person, he waxes eloquently on 3-4 page TL;DR discourses that he posts various mailing lists or hangs out with other dinosaur friends at local watering holes discussing appsec, coding, sports, puns, and quantum physics.

About Us:

The CiNPA Security SIG is the Cincinnati Networking Professionals Association Security Special Interest Group. We meet monthly on the third Thursday of each month starting at 6:30 p.m.

The CiNPA Security SIG's monthly meeting format typically consists of one or two main monthly meeting topics featuring live presentations or demonstrations promoting open and interactive group discussions. Our focus is primarily on the defensive side of information security, but we delve into all other areas of cyber-security as well. Information security news, announcements, and round-table discussions follow our main meeting topics.

Attendee Benefits:

• Attendance qualifies for 2 hours of CPE or CEU credit towards certification renewals

• Maintaining awareness of new vulnerabilities and exploits

• Learning about the latest security tools, utilities, products, services, solutions, strategies, techniques, frameworks, and best practices

• Sharing of information regarding trends concerning enterprise systems and technology

• Hearing announcements of upcoming area security conferences and events

• Networking with peers in the local Information Security (InfoSec) community

You may also like