May Meeting – Girls Who Code

Please RSVP here by May 19th. If your organization is interested in sponsoring food for this event, please let me know!
Topic: Girls Who Code
Speaker: Ellen Hartstack and the Ames High School Girls Who Code team
Date: Wednesday, May 24th
Time: 6-7pm (doors open at 5:30)
Where: (2900 University Blvd, Ames)
Girls Who Code is a free club where young girls, 6th-12th grade, learn about computer science. It starts off as a basic introduction to computer science core concepts like variables, loops, functions and builds up to a final project of the girls’ choosing. This year was the pilot program for a Girls Who Code program in Ames at the Ames High School. Come learn about some of the challenges faced by women in technical fields/roles and about how programs like Girls Who Code can combat this. We will be discussing the Girls Who Code curriculum (pros/cons), what it was like teaching this program, and demoing some of the students’ progress they’ve made throughout the first year.
Speaker Bio

Ellen Hartstack wears several hats as either a system administrator, data scientist, or security analyst, depending on the day. Ellen has worked in both the public and private sectors. She has a passion for getting folks of all walks of life excited about technology and other general nerdiness. She has been mentoring these students for the past school year.

April Meeting – Cyber Security Investigations at the FBI

Please RSVP here by April 14th.
Topic: Cyber Security Investigations at the FBI
Speaker: Special Agent Jordan Loyd, FBI
Date: Wednesday, April 19th
Time: 6-7pm (doors open at 5:30)
Where: (2900 University Blvd, Ames)
Jordan has given a number of excellent talks in the Des Moines area, and I’m thrilled he’s willing to make the drive up to Ames to share some of his experience with us. He wouldn’t put this in his bio, but I’ve heard him referred to as one of the top cyber investigators in the FBI. This is a great opportunity for you to come learn about how investigations are conducted, when and how your organization might want to involve the FBI in an incident, and I’m sure hear some great war stories.
Speaker Bio

Special Agent Loyd has been with the FBI since 2009.  SA Loyd conducts investigations into computer intrusions with criminal and national security focus.  Prior to being assigned to Cyber investigations in mid-2010, SA Loyd conducted operations targeting organized crime entities in the New York area.  SA Loyd served as a Network Manager for six years after graduating from Oklahoma State University in 2006.

Please park in either rear parking lot (P1 Parking, below) and make your way along the sidewalks behind the building to the big glass Atrium.

November Meeting – Garbage in, garbage out: generating useful log data in complex environments

Garbage in, garbage out: generating useful log data in complex environments
Speaker: Ellen Hartstack and Matthew Sullivan
Date: Wednesday, November 16th
Time: 6-7pm (doors open at 5:30)
Where: (2900 University Blvd, Ames)
Log messages. Your company probably has billions of them; but are they useful, or just noise? Having meaningful log data is a critical part of running a successful IT shop or hosted web application. How often does your user hit that weird edge-case bug? How many times has this IP address accessed our web front-end using a non-standard browser? How much processing time could we save our customer by refactoring that one function? In many environments, finding answers to these types of questions can be difficult or even impossible. Sure, the data might be there, but is it even useful? In this sysadmin and developer-focused talk, we’ll discuss ways to provide more meaningful and parsable log data, whether using an off-the-shelf product, open source, or written in-house. We’ll also briefly demonstrate how tools like Splunk or ELK stack can be leveraged to make better decisions, saving time and money. 
Speaker Bios
Ellen Hartstack wears several hats as either a system administrator, data scientist, or security analyst, depending on the day. Ellen has worked in both the public and private sectors, and enjoys helping teams make data-driven decisions as efficiently as possible. 
Matthew Sullivan is a pentester, developer, and security analyst living in Ames, Iowa. Matthew is the co-founder of the OWASP Ames chapter, creator of the Cookie Cadger HTTP session auditing tool, and an occasional presenter to both technical and non-technical audiences at various conferences and seminars.

May Meeting – Continuous Opportunity: DevOps & Security (Eric Johnson)

Edit: Thanks for Eric for his presentation last night! Slides are available here:
I’m excited to announce Eric Johnson (@cddsecurity), appsec expert extraordinaire and SANS instructor and leader, will be presenting for our May meeting. See details below!
Please RSVP here by May 13. 
Topic: Continuous Opportunity: DevOps & Security
Speaker: Eric Johnson, Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS
Date: Wednesday, May 18th
Time: 6-7pm (doors open at 5:30)
Where: Workiva (2900 University Blvd, Ames) – see below
As always, if your organization is up for sponsoring food, let me know!
With DevOps practices spreading throughout many organizations, development and operations teams are creating tools and gathering ongoing data to deliver features to end users at an ever-increasing rate. This can be an immense challenge when the security team is left out of the loop, and an even bigger opportunity when security can bring actionable ideas to the table.
We will explore some concrete ways that security teams can gain visibility into a rapidly changing environment by adding value to the pipelines which power the DevOps practice. Attendees will leave with some approaches to incorporate security into the DevOps pipeline, starting with small, simple steps that provide insight into the flow of features from “idea” to “delivered”.
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules.  Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.
Please park in either rear parking lot (P1 Parking, below) and make your way along the sidewalks behind the building to the big glass Atrium!
Upcoming Meeting Dates (Let me know if you’re interested in presenting, hosting, or sponsoring food!):
  • May 18
  • Aug 17
  • Nov 16

February Meeting – The little-known horrors of web application session management (Matthew Sullivan)

Topic: The little-known horrors of web application session management
Speaker: Matthew Sullivan (Senior Security Engineer, Workiva)
Date: Wednesday, February 17th
Time: 6-7pm (doors open at 5:30)
Where: Workiva (2900 University Blvd, Ames)
Web application session management sounds pretty straightforward, right?  Send creds, get a cookie, send the cookie on subsequent requests, and you’re in.  While that may be true, it’s only half of the (horror) story.
In this technical, example-driven talk, we’ll dive into session management issues in a manner friendly to both newbies and veterans alike.  We’ll describe some of the more common web app session management issues, discover industry trends (“I don’t need no stinkin’ database!”), detail some of the new directions in session management security.  I’ll wrap up the talk by demonstrating some ways in which web app sessions can be made more resilient to attacks.
Matthew Sullivan is an Iowa State University alumnus (BS/MS) and has been at Workiva for 3 years. He has previously held security-related positions in education and transportation. Matt has given talks at several security-related venues, and presented his graduate work (Cookie Cadger) at the DerbyCon security conference in Louisville, Kentucky. He was one of the leading voices during the response to Heartbleed, and was interviewed about its impact by WIRED magazine.
2016 Meeting Dates
  • Feb 17
  • May 18
  • Aug 17
  • Nov 16

December Meeting – Mobile Top Ten Security Risks (David Lindner)

Update: Here are the slides from the presentation!
Topic: Mobile Top Ten Security Risks
Speaker: David Lindner (Director of Mobile and IoT Security, nVisium)
Date: Wednesday, December 2nd
Time: 6-7pm (doors open at 5:30)
Where: Workiva (2900 University Blvd, Ames)

With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a pen tester of mobile applications is understanding how every security control works and how they all interact. The Open Web Application Security Project (OWASP) has aimed to help organizations understand the most prevalent mobile risks with their recently released OWASP Mobile Top Ten Risks of 2014. Join Dave as he walks through the Top Ten and explains the typical vulnerabilities found in doing penetration testing and code review of mobile applications.

David is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support, IT security and consulting, and application security. Over the past 6 years, David has specialized in all things related to mobile applications and securing them. David has supported many different clients including financial, government, automobile, healthcare, and retail. In his spare time, David hones his Mobile and IoT testing skills by participating in numerous bug bounties.

August Meeting – There’s a hole in my bucket, dear Liza — Examining side channel leaks in web apps (Ben Holland)

Ben’s presentation on YouTube:
Topic: There’s a hole in my bucket, dear Liza — Examining side channel leaks in web apps.
Speaker: Ben Holland
Date: Tuesday, August 18th
Time: 6-7pm (doors open at 5:30)
Where: (2900 University Blvd, Ames)
Think twice before you optimize that code!  You might just give away the farm. Side channel attacks were traditionally used to reverse engineer cryptographic hardware circuits using power analysis, but more recently timing information is being used to deduce the sensitive inner workings of software. The steady stream of side channel exploits coming out academia and the security community continue to demonstrate the seriousness of the problem and DARPA’s current Space/Time Analysis for Cybersecurity (STAC) program indicates that we need a solution now. Let’s take a look at a few real examples of information leakage through side channel attacks in web apps and learn to spot them together.  If there’s a hole in your bucket, then fix it, dear Henry.
Speaker Bio
Ben Holland is a research scientist at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. He’s lectured on security topics for courses in program analysis and operating system principles.  Ben has given talks at Derbycon 4.0 in Louisville, Kentucky and at DARPA’s headquarters in Arlington, Virginia. His past work experience has been in mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. He holds a master’s degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA’s Space/Time Analysis for Cybersecurity (STAC) program with plans to start a PHD program in Fall 2015.

June Meeting – Securing the DOT’s Motor Vehicle Division’s Online Services (Nichole Dugan)

Our apologies for not getting this up on the site back in June, but I wanted to post what our June meeting’s topic was about.  Thanks to Nichole for an excellent presentation!

Speaker: Nichole Dugan

Date: Tuesday, June 16

Microsoft introduced the concept of membership providers in ASP.NET 2.0, allowing .NET developers the ability to quickly integrate security using a database or Active Directory with minimal code. In the years since its introduction, Microsoft has continued to support the technology and now allows for the creation of new membership providers inherited from a base class. When the DOT decided to create an online presence allowing for customers to change their mailing address online, sign up for license renewal reminders, and renew their driver’s licenses online, the decision was made to use a custom membership provider to authenticate users. This presentation will give a brief overview of the built in membership providers available in .NET and how the DOT’s online services use a custom membership provider to not only authenticate users, but authorize them to access of different services.

Great turnout for inaugural meeting!

Thank you to everyone who attended our first meeting of OWASP Ames this evening. We had over 20 organizations represented and over 50 attendees! Here’s to many more to come!

You can read more about Burp Suite at:

At the end of the meeting, we had a brainstorming session about topics we’d like to see presented on, or events we’d like to foster as part of this chapter. Please see the list below, and contact Matt or Ben if you’d like to help plan or host any of these!

We tentatively will plan on our next meeting being in October to start a regular quarterly schedule.

  • Event Ideas
    • Helping small businesses in Ames with their website security
      • 2-4 times/year: Volunteer pentest to help Ames businesses?
    • Work with Hackathon communities in Ames and Des Moines
    • Labs/Jams/Workshops
  • Meeting Topics
    • OWASP Top 10 – meeting to go through, or maybe a couple per meeting over a few meetings?
    • Policy, Strategy
    • Cloud Security/App Risk Assessment
    • SDLC processes – How to bake security in?
    • Bug Bounty Programs – How to set them up, how to participate
  •  Communications
    • Twitter/Mailing List (unmoderated list/open [email protected] with moderation?)
      • Upcoming Trainings/Cons/Confs?