Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP DenverJune 2012Hosting.com

Andy LewisChapter LeaderDenver OWASPALewis@owasp.org

OWASP

Welcome!

You are at the Denver OWASP meetingPlease set pagers & cellphones to stunPlease thank our hosts, sponsor, & speakers: Hosting.com – Clint Pickney

SilverTail Systems – Laz

OWASP

Bathrooms, smoking, parking, etc

Parking - please use visitor parking. NOTE: they lock the garage at 9:30(?)

Smoking - outside in designated areasRestrooms – you’ll need an escortVending machines/food/drinks – pizza, beer,

and beverages provided by Hosting.com. Please drink responsibly.

Wireless – please don’t attach, don’t attack, don’t do anything else that would cause Hosting.com not to invite us back…

OWASP

Agenda

• Welcome• Introductions• Thank our hosts & raffle sponsors -

Hosting.com and SilverTail Systems• What’s an OWASP?• Pass the salt• Chapter Business• Tonight’s topic - “Emerging Threats"• Closing - Chapter Business, thank hosts, next

meeting, and tonight’s watering hole – right here!

OWASP 5

OWASP Mission (1st meeting, anyone?)Open non-profit charitable foundation dedicated to enabling

organizations make informed decisions to develop, maintain, and acquire software they can trust

Making Security Visible Through…

DocumentationTop Ten, Dev. Guide, Design Guide, Testing Guide, …

Tools*** ESAPI, *** WebGoat, WebScarab, Site Generator,

Report Generator, CSRF Guard, CSRF Tester, Stinger, Pantera, …

Working GroupsBrowser Security, Industry Sectors, Access Control (XACML),

Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA

SecurityCommunity and AwarenessLocal Chapters, Conferences, Tutorials, Mailing Lists

OWASP

OWASP Chapters – a GLOBAL phenomenon

6

OWASP

Pass the SaltLinkedIn got breached

• It happens • I hope you’ve changed your password, because LI saves

passwords as unsalted hashes…

How OWASP can help…

• Google “OWASP Password Storage Cheat Sheet”

• Notice the reference links for proscriptive guidance for java, php, etc

• Don’t reinvent the wheel (and look at the other cheat sheets too)

PASS THE SALT

Please share this with at least one Developer• Unsalted hashes should be a crime, but salting isn’t widely taught

• If your friend is way ahead, encourage him or her to add to the cheat sheets – salting routines for Joomla, Ruby, etc are still needed

Friends don’t let friends use unsalted hashes as passwords…

OWASP

Membership Benefits

OWASP

Denver Chapter BusinessSnowFROC! www.snowfroc.com NEED $$$ to reserve space!

• FROC Chair - Kathy Thaxton • NEED TO RESERVE SPACE NOW – please become a member

Membership…

• Please consider joining OWASP – it’s like PBS. Nobody’s coming into your living room to shake you down, but a portion of everything you donate goes directly the the Chapter

• Get a snazzy @owasp.org email address

Jobs – LinkedIn, others???

Staying current:• Mailing list

• Twitter @owasp303

• Linked in OWASP Denver group

Other chapter business?

OWASP

JobJob Title: Coding Compliance Officer Location: AURORA,CO

Duration: 3 months (Contract to Hire) Job#: 5295

Contact: Avinash 303-990-5876/77 avinash.negi@softecinc.com

Skills: MEDICAL CODING( 5.0+ YRS ) ,TRAINING( 5.0+ YRS ) ,HIPAA( 5.0+ YRS ) ,HEALTHCARE CLAIMS PROCESSING( 5.0+ YRS ) ,ICD-9/10( 5.0+ YRS ) ,MEDICAL BILLING( 5.0+ YRS )

J

ob Description:

The Coding Compliance and Education Specialist Coordinates and reports on day-to-day coding compliance, education, training and quality improvement functions within the Health Information Management department.

More details available from Avinash

OWASP

Next Meeting

• Next meeting will be September 19th

• 3rd Wednesday of the month

• Topic tbd – anybody got ideas for a topic and/or speaker?

• Final 2012 meeting will be in October – trying to get Wh1t3Rabbit (~70% chance right now)

OWASP

Tonight:Laz – “Emerging Threats”

About Laz - SnowFROC HeroPrior to his position as Directory of Strategy at SilverTail Systems, Laz

served as head of Information Security with the Sears Online Business Unit. He has been involved in IT security for the past 20 years, consulting with and auditing Fortune 500 companies and government agencies. Laz holds several patents for controlling personally identifiable information, Information Security, and Information Technology. He is also an active contributor to security standards and policies initiatives regarding compliance and Information Security methodologies, policies, and web application security. Laz is a published author, has served in the United States Air Force, holds a Masters in Computer Information Security from the University of Denver and an MBA from Pepperdine University.