In addition to our quarterly meeting on March 14th, OWASP Detroit is putting on a workshop as part of the MiSec/OWASP Detroit monthly workshop series. This workshop will be hands on and concentrate on providing those who are new or unfamiliar with the process of assessing web applications from a security standpoint. We will be going over the basics of web-based communications, web architecture, common web application vulnerabilities and how to detect & exploit them.

Web applications aren’t just for posting pictures of cats, and haven’t been for a long time. Much of our modern communications infrastructure relies on Web application frameworks, protocols, and applications. Twitter, Facebook, commercial applications, administrative consoles, all rely on what, in many ways, are technologies and protocols developed in the infancy of the modern telecommunications revolution. In many ways, the security of these technologies hasn’t improved and security professionals oftentimes are not exposed to the unique challenges and methods involved in securing these applications. This workshop will provide attendees with a basis in how to assess the security of Web applications, and methodologies to help establish Web application security processes.

This will be a hands-on workshop with the ability to attack and assess a live application. Emphasis will be on learning manual testing methods.

Required: Laptop computer (OS agnostic), Java runtime engine (1.6 or 1.7), wired Ethernet connection. All other tools will be provided.

Tickets available online: http://www.eventbrite.com/event/5680869634

Steven Fox will be offering his Branding your Security Team workshop on September 15, from 10 am to 4 pm. The training is free and requires a workshop ticket from Eventbrite.

Branding your Security Team – Connecting with Customers through Compelling Experiences

What does your security team stand for? How does it add value to its customers? How does it drive value within itself? Most managers and customers ask these questions in some form; they want to know what your team will do and why they should interact with it. Unfortunately, most IT security teams approach their answer from a context alien to those whom they serve – leaving them puzzled and frustrated.

This workshop focuses on branding techniques that will aid in reframing your team’s value proposition into a context familiar to your internal customers. While a brand can be created by an individual or team, its success depends on how it is positioned by its target customers.  While the vagaries of organizational behavior make it hard to control positioning, this workshop will highlight a five step process to define your brand, promote it strategically, and influence its positive perception within the company.

1) Create – Attendees will be presented with a security team’s branding statement which is in conflict with its customers.  They will create a new statement via a reframing exercise utilizing a customer profile document.

2) Connect – We connect to people through stories.  Thus, attendees will learn the basic structure of a story and use this to write a compelling case study that conveys their new brand statement.  This story will be shared with others and discussed to explore how it resonates with the target customer and conveys the team brand.

3) Rehearse – Rehearsal allows the team to internalize the details of their brand, freeing it to deliver the value it represents.  Attendees will learn efficient rehearsal techniques they can use with their teams.

4) Deliver – Step 2 formed a connection with your customer – a short-lived relationship that will fade if left unenforced.  This step focuses on the security team’s ability to earn the customer’s trust by serving their needs consistently and professionally while reinforcing its brand message.

5) Follow-through – There is where you make your story a reality.  Attendees will learn the power of service follow-through to strengthen your brand, especially when mistakes are made.

Workshop materials will be made available in advance of the workshop so attendees can prepare. The workshop will be held on September 15, from 10 am to 4 pm, and requires a workshop ticket from Eventbrite.

Chris J will be offering his Linux hardening workshop on August 11, from 10 am to 4 pm. The event is free and requires a workshop ticket from Eventbrite. Chris writes:

One of the questions to come out of the Rats and Rogues Career Panel podcast was what as an industry can we do to help those coming up in the ranks behind us. At the time Security Moey and Elizabeth Martin dropped Mock InfoSec interviews.

That was great, I think helping people with interview skills is a big plus. But it doesn’t solve the first problem. Getting or having the skills you need to get the interview. So how do we fix this?

The Michigan Security community (aka MiSec) has and answer for that. MiSec is starting a series of workshops / classes. Some of these will be open source based, which should be able to be taken by any Information Security group and taught at their location without the original instructor.

The first of these will be held at 10am on August 11th, and should last for about six hours or so. During that time attendees will be installing and hardening a Linux system from scratch. When we are done, an attendee should be able to install a Linux distro from a network install media, harden the distro, configure Apache, Mysql, and PHP to be secure, set up a mail server, know how to read the related logs, and install a CMS system.

Hopefully we can get someone to help us pentest the systems, so the users can read the logs and see what an attack is like.

To participate you will need a computer with virtualization software set up. I would suggest pre-configuring the client system’s virtual with at least 10 gig, if you have the space 20 gigs.  If you do not have a system with you, you will not get a lot out of the class. This is a hands on workshop.

Software I will be using is Oracle’s VirtualBox with bridged networking set up for the guest OS. You can use whatever you like as long as you know it. If you’re not familiar with virtual software, I would go with VirtualBox. It’ll run on any system. While VMware is a good choice, I haven’t used it recently and won’t be able to help you set up before the event if you run in to problems.

The event is free but a ticket is required. Get your workshop tickets at Eventbrite.

The Social-Engineer.com Social Engineering for Penetration Testers program is a 5-day immersion into the world of a professional social engineer.

We are working to bring this 5-day, hands-on, thrill ride that is filled with information-packed discussion, performance based exercises and live demonstrations to the SE Michigan area.

This class is limited to 22 seats, first come first serve. For more information please go to:

http://www.social-engineer.com/social-engineering-in-penetration-testing-registration/