May 7, 2015

OWASP Boston Meetup - Crowdsource Your Security Testing with Bugcrowd

Wednesday, May 6, 2015 @ 6:30 pm
Akamai Technologies
8 Cambridge Center, Cambridge, MA 
http://www.meetup.com/owaspboston/events/221696816/ 


At my previous position, I performed a bit of entry-level security testing, so I was familiar with the Open Web Application Security Project Group (OWASP ) name, with their website and the Testing Guide that they update every few years. What I didn't know was that OWASP had formed a Meetup group last year that has met every few months at Akamai Technologies starting in March of 2014.

OWASP - Boston is planning on holding regular meetings on the first Wednesday of every month.



Past OWASP Meetups

Past meetups of the OWASP Group -- according to their Meetup site -- have been:
  • Training sessions on SQL injection (SQLi) and using WebGoat  to understand vulnerabilities in J2EE and ASP.Net applications.  ( Meetup link  )
  • Training sessions on exploring the OWASP Zed Attack Proxy (ZAP ) ( Meetup link  ) 
  • Using xssValidator  -- an extension of Burp Proxy -- to automate testing for Cross Site Scripting (XSS ) errors. ( Meetup link )

Announcements from Jim Weilier

While noshing on pizza that Akamai had ordered for us attendees, the founder of the OWASP - Boston Meetup group and chapter leader of OWASP Boston, Jim Weiler, gave a few updates:
  • T-Shirts for Sale: Apollo Clark -- founder of the Boston Kali Linux Users Meetup  that I had written about in my blog  -- had designed T-Shirts for the group and donated the design to OWASP. OWASP is selling them for $10.00. Out of every purchase, $1.50 is donated to OWASP, a non-profit organization. 

Image from Apollo Clark's Flikr site


  • New Meetup Locations: Along with meeting at Akamai for Cambridge / Boston area people, Constant Contact in Waltham has offered to sponsor Meetups so people near Route 128 can get involved with OWASP. 
  • Outreach programs: OWASP is reaching out to the community, with groups as various as software quality folks, ISO (International Organization for Standardization) groups and college students so that security standards can be introduced before they are ever needed. Jim is also looking for speakers. Have a five or ten minute talk? Volunteer to become a speaker at an OWASP meeting. Whether it is an informal talk or Powerpoint slide, the important thing is, as Jim said, "Any transmission of knowledge is useful". 

Announcements from Roy Watterson

Roy Watterson, the co-founder of the OWASP Boston Meetup, stood up and spoke briefly about how to keep in touch with what OWASP Boston is doing:

  • OWASP Boston Chapter: https://www.owasp.org/index.php/Boston
  • Twitter: @OWASPBOSTON 
  • OWASP Boston Meetup: http://www.meetup.com/owaspboston/

Roy went around the room, asking if there were any other announcements:

  • New Security Meetup: Apollo Clark mentioned about how he started a new Meetup, the  Boston Kali Linux Users Meetup 
  • New Jobs Available: Many companies are hiring, looking for security testers. Even one of the companies speaking at the Meetup, Bugcrowd, is looking for people. 
  • Recent Talks: Roy mentioned the OWASP Top Ten Internet of Things gave a talk recently ( slide deck  ) and if anyone is interested in security of devices such as Fitbit, they should review the presentation. 
  • Security BSides Boston 2015 http://www.bsidesboston.org is this Saturday. Unfortunately, Roy said, all tickets are now sold out... Although you can request to be placed on the waiting list. 
  • SOURCE Security Conference and Training: This conference will be held on May 25-28 at the Marriott Courtyard - Boston. If you put in OWASP2572, it will be $100 off the price of admission.
  • And yes, Akamai is hiring

Buying Into the Bias: Why Vulnerability Statistics Suck


For the next section, Jim Weiler sketched out a lecture he once attended at Black Hat Briefings, presented by Steve Christey, from MITRE, and Brian Martin, from the Open Security Foundation.

The lecture was given at Black Hat on July 31, 2013. Below is what I found on YouTube.


[ Download Powerpoint Presentation from Brian Martin's Attrition.org site ]
[ Download slides in Adobe PDF format ]  

From siliconANGLE's  write-up of this past event:

 "Christey and Martin will explore the limitations improperly gathered and analyzed statistics and how they could ultimately be deleterious to an organizations bottom line.
Martin has, for the previous 15 years, worked in the field of collecting, studying and cataloging vulnerabilities. He is currently the Content Manager for the Open Source Vulnerability Database (OSVDB) and has actively advocated for the evolution of VDBs for many years. His work in the vulnerability disclosure process has included seeking new vulnerabilities, writing advisories, coordinating disclosure and working with several organizations, helping them to improve their vulnerability handling and response. Martin is also a member of the Common Vulnerabilities and Exposure (CVE) Editorial Board. 
"Co-hosting the presentation with Martin, Christey is a Principal Information Security Engineer in the Security and Information Operations Division of The MITRE Corporation. Christey also serves as the editor of the CVE list as well as being the Chair of the CVE Editorial Board. He has been a contributor to vulnerability studies and was co-author of the influential “Responsible Vulnerability Disclosure Process” IETF draft of 2002. His focus of late has revolved around secure software development and testing, consumer-friendly software security metrics, the theoretical underpinnings of vulnerabilities, and vulnerability research". - Alan McStravick 

Crowdsource Your Security Testing with Bugcrowd

For the next section, Leif Dreizler from Bugcrowd talked about Bugcrowd, and its success in crowdsourcing security testing. He spoke about using "bug bounties", highlighting its use at Google, Mozilla, and Microsoft. 

How the Crowd is Discovering Vulnerabilities Missed by Traditional Methods from leifdreizler





-T.J. Maher
 Sr. QA Engineer, Fitbit
 Boston, MA

// Automated tester for [ 2 ] month and counting!

Please note: 'Adventures in Automation' is a personal blog about automated testing. It is not an official blog of Fitbit.com
Post a Comment