Yesterday afternoon I drove from Milwaukee to Chicago for my first OWASP Chicago meeting. The meeting was hosted by Morningstar and held in one of their spacious auditoriums. This particular meeting was conducted in the ‘lightening talk’ format with six speakers each talking for 10-20 minutes. The Master of Ceremonies for the event was Mike Tracy of Matasano, who is one of the leaders of the OWASP Chicago chapter. Mike did a great job of keeping the meeting on track and on time.
The first speaker was Tom Brennan of Trustwave and a member of the OWASP Board of Directors. Tom’s talk, “OWASP – Where We Are and Where We Are Going” gave the big picture perspective and talked about the achievements of OWASP to date and plans for the future. Unfortunately, due to traffic, I arrived a bit late and only caught the end of his talk.
Next up was Peter Morgan, also of Matasano, who gave a quick introduction to Buby, a “mashup” of the popular Burp Suite from PortSwigger and JRuby. Peter talked about installation, useful libraries, and extending functionality with modules.
Dan Crowley (@dan_crowley), also of Trustwave, gave an interesting talk titled, “Jack of All Formats.” He talked about how multiple files can be put into a single file by manipulating extensions, headers, start and stop markers, etc. Dan also gave a few examples of the security implications. His talk was so interesting Mike Tracy suggested he come back soon to give his talk in a full-feature format (instead of being limited to 10-20 minutes).
Next, Greg Ose (@gose1)talked about Exploiting Cross-Subdomain Cookie Setting Session Fixation (XSDCSSF), and Jacob Kitchel talked about “Code Auditing by a Dummy.” Jacob’s approach to his presentation was unique in that he described his attempt to solve a SpotTheVuln challenge as a movie plot.
Last up was the ever-popular Rafal Los (@wh1t3rabbit and @rafallos) of HP. Rafal’s talk, “Software Security Reality” spoke about the three pillars of software quality: functionality, performance, and security. His final slide talked about four keys to software security: process, education, automation, and governance.
In all, it was an excellent meeting and the lightening talk format kept it interesting. Kudos to the speakers, to Mike for organizing the event, and to Morningstar for hosting it!