San Jose OWASP Chapter Meeting

Open to the public, attendance is free

Agenda and Presentations:
6:00pm - 6:30pm ... Check-in and reception (food & bev)
6:30pm - 7:15pm ... Attacking XML Security - Brad Hill
7:15pm - 8:00pm ... Development of a Security Metric System to Rate Enterprise Software - Fredrick Lee
8:00pm - 8:30pm ... Networking Session

807 11th Avenue
Sunnyvale, Ca 94089
Map and Directions

Attacking XML Security
Presented by: Brad Hill, iSEC Partners

Abstract: Brad will present his ongoing research into attacking the XML Digital Signature and Encryption standards that underpin the security of Web Services, mobile code, SAML, federated identity systems and more. The talk will begin with a high-level, critical take on the emerging conventional wisdom about message-oriented security and continue with a detailed discussion of design and implementation weaknesses in the standards. Technical material will include a root cause analysis of the recent iSEC advisory on cross-platform, remote code execution vulnerabilities discovered in multiple XML Digital Signature products.

Bio: Based out of Seattle, Brad Hill is a Senior Security Consultant at iSEC Partners, a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. Brad brings a ten year background as a software developer and architect in the technology and financial services sectors to his work at iSEC, where he does design review, application assessment and development lifecycle improvement for some of the world’s leading software companies.

Development of a Security Metric System to Rate Enterprise Software
Presented by: Fredrick Lee, Fortify Software

Abstract: As part of Fortify Software’s Java Open Review (JOR) project, both security defects and quality issues discovered in open source software are collected. The projects being analyzed are diverse in their development methodologies, development stages, and application styles. The projects range from small utility packages (e.g. Apache Commons), to mid-size intranet applications (e.g. JSPWiki), to large-scale, commercial grade enterprise projects (e.g. JBoss). In essence, participants in the Java Open Review project reflect the typical enterprise organization’s code base: a large collection of several small utility/internal applications and a handful of enterprise “flagship” products.

As part of the project, we have been challenged to answer the question: Which application is more “secure.” To answer this question, Fortify has sought to develop a set of metrics that combine lessons learned from our experience working on various enterprise code bases and our work on the JOR project. The metrics are designed to incorporate diverse criteria, including the size of the application, the types of vulnerabilities identified, and time required to fix the vulnerabilities. The metrics provide a mechanism to rate software components for security concerns and enable enterprises to:

- Evaluate which open source projects offer an acceptable level of security
- Compare competing open source software solutions based on their security
- Measure internal development efforts against open source open source counterparts

Ultimately, with sufficient industry adoption, the metrics can also enable enterprises to compare their internal efforts against other enterprises within the same vertical. As part of the talk we will present our experience to date working with companies to develop an effective mechanism for evaluating the security of enterprise software.

Bio: Fredrick Lee is a member of Fortify Software’s Security Research Group, where he manages the Java Open Review Project. Scanning the code of over 100 applications so far, Fredrick is helping assess and improve the security of open source software. Fredrick also helps the Security Research Group develop the secure coding rules that are use to run Fortify’s suite of products.

Prior to joining Fortify Software, Fredrick was a Senior Information Security Engineer at Bank of America, where he helped roll out a secure development framework, performed security assessments, and developed enterprise security solutions.

Fredrick graduated from the University of Oklahoma, with a BS in Computer Engineering.


Upcoming Security Workshops
Presented by: Brian Bertacini, Volunteer Chapter Organizer

Abstract: Introduce local volunteer expert trainers that are planning web application and infrastructure security workshops.

Please RSVP to via email Brian Bertacini, call 408-979-0571 or visit

Special thanks to Ariba for hosting this event and to AppSec Consulting and iSEC Partners for sponsoring.

Name Sales End Price
General Admission Ended Free

On the Web

Bay Area chapter meeting - OWASP

Dec 03, 2014 · OWASP Chapter Meeting in San Francisco hosted by ... and the whole San Jose area. Currently, the Bay Area OWASP Chapter covers this whole …

Bay Area - OWASP

... and the whole San Jose area. Currently, the Bay Area OWASP Chapter covers this whole geographic region. ... OWASP Chapter Meeting in San Francisco hosted by …

San Jose OWASP Chapter Meeting- Eventbrite

Eventbrite - San Jose OWASP Chapter Meeting - Wednesday, July 25, 2007 at Ariba, Sunnyvale, CA. Find event and ticket information.


Nov 10, 2014 · San Jose San Diego Santa Barbara ... just motivated to help build the OWASP community and organize meetings. ... OWASP Chapters Mailing list for all OWASP ...

OWASP, Jacksonville Chapter

Aug 16, 2013 · To be a SPEAKER at ANY OWASP Chapter in the world simply review the ... Jacksonville OWASP Meeting. WHERE ... 12125 San Jose Blvd, Conference …

San Jose Owasp Chapter Meeting Sunnyvale, CA

San Jose OWASP Chapter Meeting -- Wednesday, July 25, 2007 -- Sunnyvale, CA

7th OWASP AppSec Conference - San Jose 2007 / OWASP ...

This page contains the agenda for the OWASP Leaders meeting that will occur during the next OWASP conference in San Jose (see its Agenda for more details

San Jose OWASP Chapter Meeting - Contact - Eventbrite

Eventbrite - San Jose OWASP Chapter Meeting - Wednesday, July 25, 2007 at Ariba, Sunnyvale, CA.

OWASP Bay Area Chapter Meeting at 2161 N. First Street ...

Come spend the evening with the OWASP Bay Area Chapter for our quarterly meeting! Admission is free, but a ticket is required. Government-issued photo identification ...

[Owasp-sanjose] Reminder - September OWASP Meeting on ...

[Owasp-sanjose] Reminder - September OWASP Meeting on Wednesday ... , The next OWASP-SV Meeting will be Wednesday, September 28, at the San Jose Hyatt … OWASP Source Code Center: owasp-sanjose

The Open Web Application Security Project (OWASP) software and documentation repository.

OWASP Source Code Center / Mailing Lists

Attention OWASP Community, OWASP is moving all of our mailing lists off of SourceForge and onto our own infrastructure. We’re making this move to allow for …

OWASP BayArea | LinkedIn

The OWASP chapter for San Francisco and the bay area. LinkedIn Home What is LinkedIn? Join Today Sign In Main content starts below. OWASP BayArea. 193 …

OWASP chapter meeting in San Diego

Websense® 2014 Threat Report Download your copy > Technologies. ACE (Advanced Classification Engine) ThreatSeeker Network; Master ...

All Group Reviews - Bay Area OWASP (San Francisco, CA ...

This is the meetup headquarters for the Bay Area chapter of the Open Web Application Security Project (OWASP). ... The drive from San Jose wasn't fun though at ...

OWASP Source Code Center / Mailing Lists

... in organizing an > > Owasp Chapter meeting similar to ... it comes to OWASP meetings for some reason ... [Owasp-sanfran] San-Francisco visit and ...

OWASP Source Code Center / Mailing Lists

From: Brian Bertacini <brian.bertacini@ow...> - 2006-06-28 18:36:42. Attachments: Message as HTML Greetings IT Professionals, We have two ...

Jeremiah Grossman: OWASP, San Jose, and PCI (April 12)

Apr 02, 2007 · I regularly attend local OWASP Chapter here in San Jose. ... Sunnyvale, Ca 94089 ... Is there a website for the San Jose OWASP group?

OWASP AppSec 2007 San Jose: Day 1

... John Dickson and I are up at the OWASP AppSec 2007 San Jose conference this week. ... The OWASP Leaders meeting was a good chance to put some names with …

Category:Chapter Resources - OWASP

All OWASP Chapter leaders are invited to add ... Minutes from chapter leader meetings can be found in the ... 7th OWASP AppSec Conference - San Jose 2007 / OWASP ...

Related Events