OWASP Cincinnati

I attended the first local OWASP (Open Web Application Security Project) meeting yesterday. OWASP is a global organization committed to web application security. Frankly, I was blown away at the quality of their work. Simply top notch. Their Top 10 vulnerability list is one of the foremost referenced list in the application security world. This is NOT an infrastructure security project. This IS all about WEB application security.

Here’s what OWASP has to say about itself:

OWASP plays a special role in the application security ecosystem. It is a vehicle for sharing knowledge and best practices across organizations. As an example OWASP is a community of people passionate about application security.

We all share a vision of a world where you can confidently trust the software you use. One of our primary missions is to make application security visible so that people can make informed decisions about risk. OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.

The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world. The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.

Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences. The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially. Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

Marco Morana hosted the group at the Citi facilities in Blue Ash. What a top-notch facility! And a very good turnout, too, of 18 or so people. Not bad for a meeting that ran from 11:30AM to 1:00PM. Marco provided a boxed lunch. I would not expect that for future meetings, but a very nice touch for the first one.

For those of you not familiar with Marco, he’s a prolific columnist/blogger. If you do a quick search, you’ll find his influence and writing on a number of sites and in a number of trade rags. Make sure you check out Marco’s security blog.

What is most valuable to me about the OWASP organization and its efforts is not just the content, as many of us have heard or have some understanding of web app security issues, but the fact that all the content, along with many of the tools and processes you would need to harden your apps, are all together in one place with direction on how to use everything. The OWASP effort grows every day which ensures the content is continually up to date.

You really need to take a look at a couple of their production-ready applications. For a fantastic primer and training on web application vulnerabilities, take a look at the webgoat tool. Run this tool on your own system, preferably disconnected from a network. Understand that if you use it on a corporate network or use it to test your client’s or employer’s web apps you could be fired as in lose your job! Yeah, I thought this would motivate you to take a look.

The webscarab tool runs as a proxy between the web server and you so that you can both view and modify the traffic mid-stream in order to understand communications at a deeper level.

Marco Morana, Sr. Director and Technology Information Security Officer at Citigroup, with a strong history in the security sector, leads the local chapter. He and Blaine Wilson, another Information Security Officer at Citi, did a fantastic job creating meaty content for this first meeting. Blaine, put your picture on your LinkedIn profile so that we all get to see who you are 😉

Did you attend the meeting? What was most valuable for you?

You can find Marco’s presentation from the local meeting here (pdf). The Cincinnati chapter website and mailing list instructions is here.

I expect the Feb and March meetings to be pretty awesome, with detailed reviews of both the Top 10 list and webgoat.

Feb meeting details (I believe at Citibank in Blue Ash, but the location may change):

When: February 26th, 2008, 6.45pm – 7:45pm, Presentation starts at 7:00 pm

Who: Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)

Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective.

Andy

Advertisements

~ by Andy on January 31, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: