The OWASP – DC/MD Local Chapter infosec meetup event last week featured Rex Booth giving an introduction to OWASP, Matt Fisher looking at web risks and assessments, and a general discussion of BlackHat and DefCon. I wasn’t able to go but Rex has recently posted his notes from this session to the OWASP – DC/MD email list for those interested. See our original post for more information.

Here is some information regarding this week’s Wednesday OWASP – DC/MD Local Chapter infosec meetup event. Upon arriving please go to the 9th floor and sign in. Someone will escort you to the meeting location (room 8S026). If you are late and can not get in, please call (202) 270-8715.

• Who: Rex Booth, Grant Thornton LLP & Matt Fisher
• What:
  • Booth – Introduction to OWASP
  • Fisher – The Big Picture: Web Risks and Assessments Beyond Scanning: This talk will focus on the need to run risk and threat model software and pick appropriate people, tools, and testing techniques to test against the threat model. In today’s resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.
  • Group Discussion – Security Conference Review: BlackHat & DefCon
• When: 8/20, 6:30 PM EDT
• Where: Deloitte & Touche (1001 G Street NW; Washington, DC 20001)

For more information on the OWASP – DC/MD Local Chapter, see its description in our NoVA Meetups section. See our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

The OWASP – VA Local Chapter infosec meetup event last week featured a showing of the “The New Face of CyberCrime” documentary and a presentation titled “Integrating Security into the QA Group.” The video featured many prominent security luminaries and was very informative for the general audience that Fortify was marketing it to.It focused on the recent barrage of personal data losses from large companies (e.g., think TJX and others). One interesting note was that a featured company ended up having a data breach soon after Fortify released the documentary. During the movie a company executive continually stated how important privacy of customer data was to them. Of course, up to that point they did have a clean record. After the video, the group discussed various themes, likes, and dislikes.

Next, Robert Rachwald presented his talk “Integrating Security into QA.” Trying to get QA to do security is very similar to the more recent trend to integrating security into the development lifecycle by teaching developers how to design and code securely. Pushing security into QA has many of the same challenges so we can use what we learned to better succeed. The ultimate conclusion was that we need to incorporate security tests into the existing QA infrastructure/tools versus getting QA personnel to use security tools. Additionally, QA must start earlier in the development process to focus on root causes (i.e., scanning code) versus later effects (i.e., pen tests). Of course this is where the Fortify software fits in being geared for QAers and scanning code early in the development process.

See our original post for more information about the talks. Overall, this infosec meetup was another great success for the organizers of the OWASP – VA Local Chapter. Thanks to them for organizing it, Booz Allen for the facilities, and Fortify for dinner.

Here is some information regarding this week’s Thursday OWASP – VA Local Chapter infosec meetup event. Pizza is being provided by Fortify this month. If you need/want to provide a contribution, you can. If you plan on attending, RSVP so they can get you badge processing started.

• Who: Fredric Golding / Robert Rachwald
• What:
  • The New Face of CyberCrime Viewing: Attend a private viewing of the film, “The New Face of CyberCrime,” by Academy Award-nominated Filmmaker Fredric Golding. This revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. The film is 20 minutes in length and we will follow up with discussion.
  • Integrating Security into the QA Group: Until recently, Web Application Testing was left to security teams and ethical hackers who used advanced tools, such as Web application scanners, to analyze running Web applications. However, security groups are becoming overburdened by product releases, and many organizations are attempting to move security testing earlier in the development cycle. The QA group is a natural candidate, since it generally has the infrastructure in place to test applications for quality issues. However, for many organizations, integrating security into the QA group has been incredibly difficult. The process of running a security test is a learned skill, and not something one can teach a QA tester in a matter of days. On top of that, most security testing tools were designed for penetration testers (since they require an in-depth knowledge of application security theory) and are not generally usable by QA professionals. As a result, very few QA groups have successfully adopted security testing.
• When: 5/8, 6:00 – 9:00 PM EST
• Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on OWASP – VA Local Chapter, see its description in our NoVA Meetups section. Here are links to the post about this meetup.