OWASP London
OWASP London
Welcome to the OWASP London chapter homepage. The chapter board is Sam Stepanyan, Sherif Mansour and Andra Lezza. Follow chapter news on Facebook | Twitter | Meetup.com | EventBrite | LinkedIN | Watch recordings of past talks on our YouTube Channel
Chapter Supporters
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:
Meeting Supporters
The following is the list of organisations who have generously provided us with space for OWASP London chapter meetings:
Speaking at OWASP London Chapter Events
Call For Speakers
Call For Speakers is open - if you would like to present a talk at future OWASP London Chapter events - please review and agree with the OWASP Speaker Agreement and submit your talk proposal here: https://www.papercall.io/owasp-london
Next Meeting/Event(s)
OWASP London Chapter meetings are posted on our MeetUp Page:
Please visit http://www.meetup.com/OWASP-London OWASP London MeetUp site for London Chapter event information.
Video Recordings of Past Events
You can watch the recordings of talks presented at OWASP London events on our YouTube channel: https://www.youtube.com/OWASPLondon
Please SUBSCRIBE to our YouTube channel to get notified when new videos get published.
Updates on Social Media and Mailing List
Please follow OWASP London Chapter on Twiter/Facebook/MeetUp/EventBrite/LinkedIN and sign up to our mailing list to be notified about the upcoming OWASP London Chapter events.
Next Meeting/Event(s)
Please follow OWASP London on Twitter/Facebook/Meetup/EventBrite or join our Mailing List to be notified as soon as the next event date & location is announced
OWASP London Chapter upcoming events can be found on Meetup:
https://www.meetup.com/OWASP-London/
Past Events
Thursday, 18th April 2024 6:00pm (in-person/hybrid)
- OWASP London Chapter Meetup at Thought Machnie HQ, London [IN-PERSON].
Video recordings: YouTube playlist & full live stream
TALKS:
- “SBOMS and why they can help make your software more secure” - Anthony Harrison
- “The Risks of Blind Trust in Code from Strangers” - Tal Folkman
-
“Decoding Software Composition Analysis (SCA): Unveiling Pain Points” - Kaiwen Jiang [PDF] [video]
REGISTRATION:
You can register to attend this event here:
https://www.meetup.com/owasp-london/events/300319331
Thursday, 22nd February 2024 5:00pm (in-person/hybrid)
- OWASP London 20th Anniversary Chapter Meetup at Google London [IN-PERSON]. Details and registration:
https://rsvp.withgoogle.com/events/20th-anniversary-owasp-london-google
Video recordings: YouTube playlist & full live stream
TALKS:
- OWASP Welcome & Introduction - Andra Lezza, Sam Stepanyan, Sherif Mansour
- Session 1: “Google approach to remediating bug classes” - Harshvardhan Sharma
- Session 2: “ModSecurity 22 Years Later: Success and Failure” - Ivan Ristic
- Session 3: “It’s 2024 and, with GenAI, we can finally make AppSec work” - Dinis Cruz
- Session 4: “Twenty Years - So we’ve solved AppSec issues right?” - Daniel Cuthbert
Thursday, 11th January 2024 6:00pm (in-person/hybrid)
- OWASP London Chapter Meetup at Just Eat [IN-PERSON]. Details and registration:
Video recordings: YouTube playlist & full live stream
TALKS
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour and Andra Lezza
- Talk 1: “A Data-Led Approach to Cybersecurity” - Disha Mukherjee
- Talk 2: “DevSecOps Worst Practices” - Tanya Janca
- Talk 3: “How To Write Insecure Code and Other Stories” - Shruti Kulkarni
Talk 1: “A Data-Led Approach to Cybersecurity” - Disha Mukherjee
Come along on a journey as we explore the transformative power of big data in the realm of cybersecurity. We’ll dive into the data deluge, the might of data analytics in sniffing out threats, and the crucial role of real-time monitoring. Learn how a data-focused approach to security can revolutionize your defenses, from harnessing advanced analytics to envisioning the future of AI in cybersecurity. Get set to unlock the potential of big data in strengthening your systems and reducing risks. Together, let’s boost security with data and chart a path towards enhanced protection against ever-evolving cyber threats.
Talk 2: “DevSecOps Worst Practices” - Tanya Janca
Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, and then flip them on their head, so we know not only what to do to avoid them, but also why it is important to do so, with these DevSecOps WORST practices.
Talk 3: “How To Write Insecure Code and Other Stories” - Shruti Kulkarni
We live in a “speed-to-market” era. Including security controls in applications sometimes may be considered an overhead. However, if security controls are not added to applications during development, it may be challenging to add them later on. In this presentation, we will see how code can be written insecurely and really how simple it is to include the required security controls in the application.
SPEAKERS
Disha Mukherjee (@DishaMukherjee)
Disha is a Data Engineer on the Information Security Team at Just Eat Takeaway. Her job is all about designing, developing, and maintaining efficient data pipelines that help us make informed decisions about all things security-related.
Tanya Janca (@shehackspurple)
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of “We Hack Purple”, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty five years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. Tanya values diversity, inclusion, and kindness, which shines through in her countless initiatives. Advisor: Nord VPN, Aiya Corp Faculty: IANs ResearchFounder: We Hack Purple, OWASP DevSlop, #CyberMentoringMonday, WoSEC
Shruti Kulkarni (@shruti-s-kulkarni)
Shruti is a cyber security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information security controls in software development life-cycle, service operations, service delivery such that security controls support business requirements.
Tuesday, 5th December 2023 (in-person/hybrid)
Video recordings: YouTube playlist & full live stream
TALKS
- OWASP Introduction, Welcome and News - Sam Stepanyan
- Talk 1: “E2E Detection Testing” - George Gilligan
- Talk 2: “5 Open Source Security Tools All Developers Should Know About” - Raz Probstein
- Talk 3: “I Will IDOR Myself In” - Vangelis Stykas
Talk 1: “E2E Detection Testing” - George Gilligan
How do you make sure your detections work in a cloud native organisation? Software engineers have integration tests, reliability engineers have chaos engineering frameworks. Detection engineers lack an equivalent standardised approach to E2E testing. A natural approach is a binary that generates a suspicious event, validates that a suitable alert is generated in your SIEM, closes it, and reports the result. An open source Datadog tool named Threatest does just this. We are working on extending this to work with Elasticsearch, with the hope of automating a huge portion of the work of the red team, and providing constant validation for our detections.
Talk 2: “5 Open Source Security Tools All Developers Should Know About” - Raz Probstein
The minimum viable security (MVS) approach, enables us to easily bake security into our config files, apps, and CI/CD processes with a few simple controls - and the great part? It’s easily achievable through open-source tooling. In this talk we will focus on five critical security controls that will be integrated as part of the CI/CD pipeline by leveraging some excellent open source tools in addition to custom controls to ensure proper enforcement of MFA via Github Security. These controls will provide a foundational framework for securing your applications from the first line of code, which will make it possible to continuously iterate and evolve your security maturity all the way through advanced layers of security that come with time, as well as increased experience with your deployments, stacks, and security posture. Code examples & demos will be showcased as part of this session.
Talk 3: “I Will IDOR Myself In” - Vangelis Stykas
How could attackers gain control of hundreds of million devices? In this talk Vangelis explains how attackers can exploit a series of simple, yet critical API flaws that are typical “rush to market” flaws which allow an attacker to control and even use them as an initial foothold in millions of networks. Devices vary from routers to alarms and car chargers. It seems that the era of “central platform” handling that solves a variety of problems (like port forwarding) backfired by re-introducing a number of vulnerabilities that were thought to be long gone.
SPEAKERS
George Gilligan (@ggilligan12)
George Gilligan is a security engineer at Thought Machine, where his work includes securing Kubernetes clusters, container security, intrusion detection, security testing, and implementing security policies. George participates in various CTF competitions and his CTF achievements include the Deloitte CTF Qualifier, Scottish Universities Cybersecurity Challenge and Hack Harvard 2018. George holds an Offensive Security Certified Professional (OSCP) certification and a BSc (Honours) degree in Computer Science and Mathematics from the University of Edinburgh.
Raz Probstein (@RazProbstein)
Raz comes with years of experience in both leadership and technology, having served not only as Young Ambassador to the state of Israel, as well as headhunted and selected as Young Researcher at the prestigious Weizmann Institute for multi-disciplinary scientific research. Today she serves as a Solution Engineer at Jit, coming to the role with years of experience as a FullStack Engineer and years of experience in a diversity of programming languages from Python, to Javascript and C/C#, from the elite IDF unit 81.
Vangelis Stykas (@evstykas)
Vangelis is a Chief Technology Officer at Atropos, and during his free time, Vangelis is helping start-ups secure themselves on the internet.
Thursday, 16th November 2023 (in-person/hybrid)
Video recordings: YouTube playlist & full live stream
Talks
- Into: Welcome and a brief update on OWASP Projects & Conferences - Sam Stepanyan
- Talk 1: “Introduction to OWASP depscan - the SCA tool that is built to forget” - Prabhu Subramanian [PDF] [Video]
- Talk 2: “ChatGPT Tutorial for Developers - 10X your AWS Security Skills” - Ashish Rajan [PDF] [Video]
Talk 1: “Introduction to OWASP depscan - the SCA tool that is built to forget” - Prabhu Subramanian
Software composition analysis tools, both commercial and open source, have some problems. They are too noisy, constantly distracting developers and AppSec with needless pull requests and non-actionable alerts. In this talk, we introduce OWASP depscan, the SCA tool that is purpose-built to cut the noise, make security actionable, and help dev teams forget the tool even exists in their CI pipeline.
Talk 2: “ChatGPT Tutorial for Developers - 10X your AWS Security Skills” - Ashish Rajan
This talk will go through the foundational cloud security components of deploying AWS with security at scale traditionally. Then we will attempt the same with ChatGPT for those who are perhaps new to AWS but would like the new way of learning cloud security
Speakers
Prabhu Subramanian @_prbh
Prabhu Subramanian is the author and OWASP leader behind projects such as CycloneDX Generator (cdxgen) and depscan. He specializes in Supply Chain Security and offers consultancy to global clients via his company, AppThreat Ltd.
Ashish Rajan @hashishrajan
Ashish Rajan is the host of the wildly popular Cloud Security Podcast, a CISO, CyberSecurity Influencer, a SANS Trainer for Cloud Security and an outspoken opinion leader on all things Cloud Security & DevSecOps.
He is a frequent contributor on topics related to public cloud transformation, DevSecOps, Future Tech and the associated security challenges for practitioners and CISOs.
Tuesday, 24th October 2023 6:00pm (in-person)
- OWASP London Chapter Secure Coding Tournament at Monzo [IN-PERSON]. Details and registration:
https://www.meetup.com/OWASP-London/events/296523070
Thursday, 3rd August 2023 6:00pm (in-person)
Video recordings: YouTube playlist
Live-Stream: live-stream
- OWASP London Chapter Meetup [IN-PERSON] at Licel Corporation London offices in HereEast/Queen Elizabeth Olympic Park in Stratford. Details and registration: https://www.eventbrite.co.uk/e/owasp-london-chapter-meetup-in-person-tickets-679671735457
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan
- “DevSecOps Maturity Model (DSOMM): From Theory to Enforcement “ - Raz Probstein [PDF]
- “Doing More with Less: Practical Applications for Generative AI in Cybersecurity” - Matt Adams [PDF]
Tuesday, 30th May 2023 6:00pm (in-person)
Video recordings: YouTube playlist
- OWASP London Chapter Meetup at Amazon London [IN-PERSON]. Details and registration: https://www.eventbrite.co.uk/e/owasp-london-chapter-meetup-in-person-tickets-634995969037
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan
- Talk 1: “Security Chaos Engineering: When and How You Should Break Your System” - Anais Urlichs [PDF]
- Talk 2: “It’s Not a Bug It’s Emergent Behaviour - Generative AI, Its Cybersecurity Risks and Benefits” - Sherif Mansour link to Jupyter Notebook presentation
Tuesday, 29 March 2023 5:30pm (in-person)
- OWASP London CTF - OWASP London Chapter is pleased to announce the next OWASP London Capture The Flag Tournament. Discover vulnerabilities, capture flags, win real prizes! Register here: https://www.eventbrite.co.uk/e/owasp-london-ctf-tournament-in-person-tickets-574787925157?aff=ws
Tuesday, 28 February 2023 (in-person/hybrid)
Video recordings: YouTube playlist & full live stream
- Intro: Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders
- Lightning Talk: The Need for Data Security and Why It’s Such a Neglected Part, Mike Andrews
- Talk 1: What I Found When Modelling Threats In The Open (Source), Dan Conn
- Talk 2: Synthetic Identities - An AppSec Point of View, Timur Yunusov
TALKS
Lightning Talk: The Need for Data Security and Why It’s Such a Neglected Part, Mike Andrews
We doing security wrong. We’re living in a construct where we chase vulnerabilities, patch-levels, configurations, etc. We chase around the unimportant because it’s what we’ve always done. It wasn’t wrong then, but times have changed. What if I told you there was another way, a way out of the chaos, a way to clear (most) of the alert-fatigue and focus on what is important. Today we need to be data-centric as that’s what attackers are after, and losing control of it gets CISOs fired – be it data-leaks, ransom-ware, or breaches of compliance/privacy. But we’re losing this battle because data is everywhere, so how does one decide what is or isn’t important?
Talk 1: What I Found When Modelling Threats In The Open (Source), Dan Conn
Secure development is hard. Throughout the entire development of an open source project, security needs to be top of mind due to a potential myriad threats. Some open source orgs are starting to ask for security matrices, and expect some threat modelling to have taken place, so that the threats of a system can be evaluated. This however, can be difficult. Considering the different use cases of a project that may be running in different architectures can be quite a struggle, combined with sometimes working with developers that may not be familiar with threat modelling in general. This talk will explore how to make threat modelling easier for open source developers through using open source tools such as OWASP Threat Dragon and Threagile, and where each is better suited than the other.
Talk 2: Synthetic Identities - An AppSec Point of View, Timur Yunusov
In the era of neobanks with no branches and broadly adopted eKYC standards, the entry barriers for cybercriminals are extremely low. How could FinTech win in this ongoing cat-and-mouse game? How criminals utilise gaps in workflows of the modern payment ecosystem? After looking at mobile applications and the API workflows of dozens of FinTech companies across Europe, the USA and Asia, I will provide real-world examples from both sides of the battle.
SPEAKERS
Mike Andrews(@ma)
Mike Andrews is head of engineering and product at Open Raven – a VC funded startup in the data security space (and promises that this talk, in no way, is a product pitch!). He’s previously held leadership roles at Oracle and Microsoft, joining security, engineering, and DevOps/SRE, but started out in academia researching programmer psychology and productivity, and “fell into” security via a strange convergence of bug reporting, government contracts, and early days of OWASP. He’s the author of “How to break web software” – one of the first WebAppSec books way back in early 2000’s, and is still surprised that he’s receiving royalties off it.
Dan Conn (@danjconn)
Dan Conn likes to sit in the point between cyber security and development and over the past 10 years has worked as a developer in small startups, large corporates and many in between, catering for clients both public and private sector from SME size to enterprise. He has also had a strong interest in cybersecurity for just as long culminating in a postgraduate certificate in Advanced Security and Digital Forensics. Dan is now a Developer Advocate for Sonatype. When not coding, hacking, or talking about these things… you can find Dan running, skateboarding, DJ-ing or making music
Timur Yunusov (@a66ot)
Timur Yunusov, Payment security researcher, an application security expert with a focus on FinTech, and one of the Payment Village organisers. Some of Timur’s research in the field of application security includes “Bruteforce of PHPSESSID” and “XML Out-Of-Band” shown at the BlackHat EU back in 2013 . Timur has previously spoken at conferences such as BlackHat EU, BlackHat USA, HackInTheBox, Nullcon, NoSuchCon, CanSecWest, Hack In Paris, ZeroNights, Positive Hack Days and at OWASP meetups.
Thursday, 15th December 2022 (in-person/hybrid)
Video recordings: YouTube playlist & full live stream
- Intro: Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders
- Talk 1: “Preventing Subdomain Takeover with OWASP Domain Protect” - Paul Schwarzenberger
- Talk 2: “The Security Tools Crash and the Next Generation of Cloud Native Platform” - Mark Curphey
- OWASP 2023 - Listening Tour
TALKS
OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour and Andra Lezza Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders
Talk 1: “Preventing Subdomain Takeover with OWASP Domain Protect” - Paul Schwarzenberger [PDF]
Paul Schwarzenberger, project leader of OWASP Domain Protect, describes how the OVO Energy Bug Bounty program led to the launch of a new OWASP project to prevent subdomain takeovers, and gives a live demonstration of detection of vulnerable domain records, followed by automated takeover.
Talk 2: “The Security Tools Crash and the Next Generation of Cloud Native Platform” - Mark Curphey [PDF]
Mark Curphey, founder of OWASP recently wrote an article called The Security Tools Crash is Coming that had a lot of praise from security practitioners and unsurprisingly met with some disdain from some security startup founders and venture capitalists. In this talk Mark will run through the key points of the article and then talk about what he believes in the next generation of tools meeting AppSec and CloudSec into interoperable cloud native platforms.
Talk 3: OWASP 2023 - Listening Tour
Mark Curphey was recently elected to the 2023 OWASP Board on a manifesto to modernize OWASP. He is on a tour of European chapters listening to feedback from members and chapter attendees about what they would like to see OWASP do. This session will be at the end of the night, so we can run over and continue the conversation in the pub
SPEAKERS
Paul Schwarzenberger (@paulschwarzen)
Paul Schwarzenberger is a cloud security architect and DevSecOps specialist, using an agile DevSecOps approach to lead the implementation and migration of critical systems to public cloud. Paul has extensive experience leading a wide range of cyber security engagements for customers across sectors including UK Government and financial services. Paul is a speaker on Cloud Security and DevSecOps at conferences such as (ISC)2 Congress, fwd:cloudsec, Security BSides, DevSecCon, 44CON, Enterprise Cloud Computing, CRESTcon, DevSecOps London and now OWASP.
Mark Curphey (@crashappsec), OWASP Founder
Mark is the founder of OWASP, he is also founder and CEO of SourceClear (acquired by Veracode in 2018) and the co-founder of Open Raven (https://www.openraven.com), a data security company. Mark moved to the U.S. in 2000 to join Internet Security Systems (now a part of IBM), he also held roles including director of application security at Charles Schwab, VP of Professional Services at Foundstone, McAfee and lead the security tools team at Microsoft. Mark holds a Masters of Information Security from Royal Holloway University. After having lived for many years in Seattle and San Francisco Mark makes his return to Great Britain where he continues to work on his next big project. Mark is also an avid cyclist.
Thursday, 17th November 2022 (in-person/hybrid)
Video recordings: YouTube playlist
- Intro: Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders
- Talk 1: “Securing DevOps: Where to Start and What to Measure?” - Stefania Chaplin(PDF)
- Talk 2: “Will FIDO Passkey help us to move on from Passwords?” - Dario Salice(PDF)
Talk 1: “Securing DevOps: Where to Start and What to Measure?” - Stefania Chaplin
How do we secure our DevOps processes? Why is shifting left important? How do we get developers to care about security and empower them to make a difference? Where do we start and what do we measure? Often in software development we operate in silos. Different tribes have different priorities and lexicons. How do we break down these preexisting silos and continue innovating and optimising our software development process? Shifting left can help to break down silos and empower developers to take a security first approach. Measuring DevOps can be hard, DORA metrics can help you to become an Elite performer. Join this session to find out more about these and importantly, when it comes to securing DevOps where to start and what to measure.
Talk 2: “Will FIDO Passkey help us to move on from Passwords?” - Dario Salice
Passwords are bad at protecting our digital assets and they make it harder for us to access them. Security: An estimated 22% of US consumers self-identify as having been hacked at least once. A hacked account sells for as little as $1. Access: Forgetting your password seems like merely an annoyance. However, it contributes to churn on consumer platforms and can make up 50% of corporate IT Support calls. All is not lost; Passkey is here to save the day. In this session, I’ll walk you through what passkey is, how it works, and how it can impact your churn and security goals.
SPEAKERS:
Stefania Chaplin, Solutions Architect at Gitlab.
Stefania’s experience as a Solutions Architect within Cybersecurity, DevSecOps and OSS governance means she’s helped countless organisations understand and implement security throughout their SDLC. She is an active member of OWASP DevSlop, hosting their technical shows. When not at a computer, Stefania enjoys surfing, yoga and looking after all her tropical plants.
Dario Salice
Dario Salice is a seasoned professional in the space of Telecommunications, Security, and Online-Identities. While most recently working at Google and then Meta, he provided the right security tools to billions of users to protect their online accounts. Dario also launched programs to protect highly targeted individuals from attack. Serving as Meta’s representative on the Board of the FIDO Alliance, an industry standards organization working on strong authentication methods, Dario gained a broader perspective on the global authentication market. His current focus is ramping up an independent boutique consulting service to engage with companies of any size who want to benefit from his insights and experience in the Security & Identity space.
Thursday, 8th September 2022 (in-person/hybrid)
Video recordings: YouTube playlist
Lightning Talk: “Using Trivy and Falco to Detect Malware in a Kubernetes Environment” - Marco Mancini
Talk 1: “The Iceberg: Your Attack Surface Just Got Bigger (How to mitigate risks in your OSS projects)” - Sonya Moisset
Software supply chain attacks are not a new security concern, but recent high-profile attacks such as SolarWinds, CodeCov, and Kaseya have brought the topic to the forefront of cybersecurity awareness across the globe. Supply chain attacks have not only increased in volume and frequency, but have also become more sophisticated. This trend, together with the potentially wide impact of a singular successful supply chain attack, requires maintainers to take dedicated steps to ensure the security and integrity of their projects. You will learn how to secure your CI/CD pipeline by setting up guardrails at each stage and harden your OSS projects.
Talk 2: “Pwning the CI Workflow and How to Prevent It “- Steve Giguere
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is malicious subversives looking for the keys to the backdoor. In this talk, we’ll look at some known potential exploits to GitHub Actions workflows to show how simple misconfigurations or straight up bad practices can leave our supply chain wide open to attackers.
SPEAKERS:
Sonya Moisset (@SonyaMoisset)
Sonya is a Senior Security Advocate at Snyk and a lifelong traveler who lived in the Middle-East, North Africa and Asia. Always looking for new challenges – she made a career change from International Business Consultant in Tunisia, Saudi Arabia and Singapore to Full Stack Software Engineer in South Korea to Cybersecurity in the United Kingdom. She is passionate about Open-Source, DevSecOps and Cloud Computing. She has been listed on the 2022 OpenUK Honours list. She is a mentor and a strong advocate for women in tech. She founded the initiatives Epic Women in Cyber and Epic Women in Tech to highlight amazing women in the industry and share their experiences and journey. The initiative won the Ally of the Year 2021 - People’s Choice award. She was also part of the Diversity & Inclusion Power List 2022 from Girlcode. Sonya is an ambassador at OpenUK, and Girlcode, a GitHub Star, a Lead mentor at CAPSLOCK and CyberGirls and a cybersecurity writer for FreeCodeCamp. She is a DevSecOps/Cloud Security advocate, a public speaker on the world tech scene, and an active member of the tech community in the UK. Her motto is #GetSecure, #BeSecure & #StaySecure.
Steve Giguere (@SteveGiguere)
Steve Giguere is a Developer Advocate with Bridgecrew by Prisma Cloud specialising in cloud and infrastructure security automation. Prior to this Steve was a Solution Architect for StackRox and Aqua Security specialising in container and kubernetes security and also previously spent several years at Synopsys establishing DevSecOps best practices for enterprise CI/CD pipelines. Steve runs DevSecOps London Gathering community and several security podcasts including CoSeCast - The Continuous Security Podcast, Twitch/YouTube show C9K, as well as a personal blog and podcast called Codifyre.
Marco Mancini (@ManciniJ)
Marco Mancini is a Security Engineer in the Threat Operations team at Thought Machine. The team works in the detection engineering space and performs Incident Response for all the cloud native technologies Thought Machine employs.
Tuesday, 10th May 2022 (in-person/hybrid)
Video recordings: YouTube playlist
Lightning Talk : “Software signing and verification with Sigstore” - Sherif Clinch Talk 1: “ Introducing OpenCRE” - Spyros Gasteratos Talk 2: “Gamification of Threat Modelling” - Grant Ongers
Thursday, 10th March 2022 (online)
Video recordings: YouTube playlist
Talk 1 : “Not All SBOMs Are Created Equal” - Jeff Williams Talk 2 : “OWASP Dependency Track and CycloneDX SBOM Standard” - Steve Springett
Talk 1: “Not All SBOMs Are Created Equal” - Jeff Williams
OWASP was the first to champion the importance of insecure components in 2013. Since then, organizations have been slowly improving their software supply chain tools and processes. But as the Log4Shell debacle reminded us, we still have a very long way to go. The recent Executive Order on Cybersecurity has mandated the use of “Software Bill of Materials” or SBOM and the idea seems to be catching on rapidly. In this talk, we’ll discuss using SBOMs – both upstream and downstream in your software supply chains. Unfortunately, what shows up in an SBOM depends on how it was created. From a source code repo? A binary? A running application? How far down the stack does it go? Just the app? Application server? Platform? Container? OS? And when was the SBOM created? Latest version? Branch? We’ll also talk about some of the practical problems with using SBOM as a way to understand your supply chain at scale. Come find out how to leverage SBOMs the right way.
Talk 2: “OWASP Dependency Track and CycloneDX SBOM Standard” - Steve Springett
Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.
SPEAKERS:
Jeff Williams (@planetlevel)
Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Steve Springett (@stevespringett)
Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques. Steve’s passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and is the Chair of the OWASP CycloneDX Core Working Group, a Software Bill of Materials (SBOM) Standard.
Thursday, 18th November 2021 (online)
Video recordings: https://www.youtube.com/watch?v=wS9SF2AT_co and https://www.youtube.com/watch?v=NZOeOmPIkCA
OWASP London Chapter is proud to present our Capture the FLAG (CTF) event for 2021 in collaboration with OWASP Diversity and Inclusion Committee and many OWASP UK Chapters (including; Bristol, Cambridge, Dorset , Newcastle, Reading, Suffolk).
The event will be hosted by Security Innovation using their platform and will be instructor lead. It combines with Security Innovation’s CMD+Ctrl CTF with a Bootcamp self-paced training course to which all CTF players will have 4-weeks FREE access.
Although the event is online, as this is a live participatory event it will not be recorded.
Want to test your skills in identifying web app vulnerabilities? Join Several OWASP UK Chapters and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defence is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills.
ATTENTION: Additional registration required in order to gain access to the CTF platform and play:
CTF Event registration link is now live! Form Fields are optional so feel free to put N/A anywhere you do not wish to provide information, although you will need a working email address and the name fields will be used to identify you for the CTF.
Thursday, 7th October 2021 (online)
Video Recordings of talks from this event can be found here
Talk 1 : “What the Log?! So Many Events, So Little Time!” - Miriam Wiesner (@MiriamXyra) Talk 2 : “OWASP Top Ten 2021” - Andrew van der Stock (@OWASPED)
TALK ABSTRACTS:
“What the Log?! So Many Events, So Little Time!” - Miriam Wiesner
Detecting adversaries is not always easy - especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques. This talk is about EventList - a free and open-source tool which helps to match Windows Event Log IDs with the MITRE ATT&CK framework (and vice-versa) and offers methods to simplify the detection in corporate environments worldwide.
“Introducing OWASP Top Ten 2021” - Andrew van der Stock
Welcome to the latest instalment of the OWASP Top 10. In this talk you will learn about the brand new OWASP Top Ten 2021, the methodology behind it, the categories, the data collection and analysis process and of course how to start an AppSec Program with the OWASP Top 10.
SPEAKERS:
MIRIAM WIESNER (@miriamxyra)
Miriam Wiesner is a Senior Security Program Manager for Microsoft Defender ATP. Besides MDATP, she has a focus on Secure Infrastructure, Windows Event Logs, Active Directory Security, Just Enough Administration, and PowerShell, and many more. In her spare time, she enjoys writing articles for her private blog (miriamxyra.com), also she enjoys developing open-source tools to help the community and speaks on international conferences and events. She’s a life-long learner, always excited about new technologies, and empowering others.
ANDREW VAN DER STOCK (@OWASPED / @VANDERAJ)
Andrew van der Stock is an acknowledged leader of the application security field, with nearly 20 years application security experience in Australia and the USA, and over 25 years’ experience in the IT and System Administration fields. Andrew joined OWASP in 2002 (!) and served as OWASP Sydney Chapter Leader and OWASP Melbourne Chapter co-leader. Over the years Andrew was involved in leading and working on many OWASP Projects such as OWASP Developer Guide 2.0, OWASP Top 10, ESAPI for PHP, OWASP Application Security Verification Standard(ASVS) as well as starting the OWASP Proactive Controls project. Andrew’s corporate world experience includes directorship role at KPMG Australia and Senior Principal Consultant role at Synopsys Inc. Currently Andrew is the Executive Director at OWASP, taking the Foundation through organisational change and taking our mission to the next level
Thursday, 16th September 2021 (online)
Video Recordings of talks from this event can be found here
“Cryptographic protection of ML models in Mobile Apps” - Anastasiia Voitova [video] [Slides PDF]
Imagine a system that operates with ML models. These models are unique and work with user-generated content better than anyone else. For various business reasons, instead of running one large sophisticated model on the server, developers have to run models on mobile devices (viva TensorFlow!). Our challenge is to protect these models from leakage and massive accumulation, which leads to reverse engineering of their unique approach. This talk explains building DRM-like protection with application-level encryption using HPKE-like approach on ephemeral keys. Anastasiia will discuss risks, threats, dataflow, cryptographic layer, key management and integration with traditional application security controls for defense-in-depth approach for mobile apps.
“Be Better At InfoSec - 10 Lessons Learned From Moving From The Dark Side To The Light” - Mark Stamford [video] [Slides PDF]
InfoSec has become a giant, marketing driven, bandwagon affair. However all is not lost, this talk will focus on 10 lessons that can be applied to your job (no matter what it is as long as its InfoSec related) that will help you do it better, stronger, faster etc…Providing information on topics such as: why does no one ever give me the funding I want and how do I get it? How can I do a useful penetration test? How do I build an effective security program that makes my job security > 2 years? And How do bad guys really think and how do I do that? Drawing on personal experience and other sources this talk will provide concrete things you can actually do to keep the organisations we work for secure, not lose our minds, and hopefully navigate the crazy.
SPEAKERS:
ANASTASIIA VOITOVA (@vixentael)
Anastasiia Voitova (@vixentael) is a head of customer solutions at Cossack Labs and a software security engineer with 10+ years of experience, specialising in security engineering, data security, and applied cryptography. Anastasiia is a prominent leader in the Ukrainian cybersecurity community and a co-leader of Women Who Code Kyiv. She also maintains the open-source cryptographic library Themis, conducts secure software development training and speaks at many international conferences.
MARK STAMFORD
Mark Stamford is the founder and CEO of OccamSec, where he works with a fantastic team of security professionals helping protect some of the largest, and smallest, organisations on the planet. Originally beginning his interest in security after watching war-games and deciding that “breaking into computers looks fun” he then proceeded to hack things from the age of 11. Before getting a proper job, which then exposed him to some of the earliest days of corporate espionage. He then worked for a big 4 consulting firm as a senior pen tester, then onto a large bank where he built and ran the threat and vulnerability management program, and finally he started company.
Thursday, 4th March 2021 (online)
Video Recordings of talks from this event can be found here: https://youtube.com/playlist?list=PLmfxTKOjvC_dYOLF3qfaJ6l1fsAkGUvUT
AGENDA:
-
Introduction, OWASP News & Updates - Sam Stepanyan
-
Talk 1 : “Teaching the OWASP Top 10 to Beginning Developers” - Olivia Liddell Slides PDF
-
- Talk 1 Q & A
-
Talk 2 : “Finding Your Next Bug: GraphQL Hacking” - Katie Paxton-Fear Slides PDF
-
- Talk 2 Q & A
TALK ABSTRACTS
“Teaching the OWASP Top 10 to Beginning Developers” - Olivia Liddell
For beginning developers who are starting to learn the basics of coding, learning about application security can often feel daunting and overwhelming. To make this process easier, Olivia has created a workbook that beginning developers can use to supplement their study of the OWASP Top 10. Olivia will discuss best practices for teaching security concepts to beginners. She will also cover the approaches that she took in developing her workbook as well as the results of the workbook’s pilot test and some ideas for future development.
“Finding Your Next Bug: GraphQL Hacking” - Katie Paxton-Fear
GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bug bounties! In this talk you will learn everything GraphQL, from how it works to what kind of bugs are common.
SPEAKERS:
OLIVIA LIDDELL (@oliravi)
Olivia Liddell is a Technical Curriculum Developer at Amazon Web Services (AWS), where she creates training courses for AWS Cloud fundamentals. Previously, Olivia worked as a middle school teacher in Chicago Public Schools and as an educational technology consultant to support various colleges and universities. She frequently speaks at conferences on topics such as mentoring, team building, and social engineering.
KATIE PAXTON-FEAR (@InsiderPhD)
Katie is a Lecturer in Cyber Security at Manchester Metropolitan University, however, in her free time, she’s a bug bounty hunter and an educational YouTuber. She started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others, creating educational cyber security videos on YouTube. In her videos, she attempts to bridge the gap between “I know what bug bounties are” and “bug bounty hunter” giving advice specifically tailored to bug hunting. She’s now produced over 50 videos on bug bounty hunting for an audience of over 25,000 YouTube subscribers. Aimed at a beginner audience these go from finding your first bug, to how to use specific tools, to how to find specific bug classes. Katie has discovered and responsibly reported security vulnerabilities to several large organisations such as Verizon Media and the US Department of Defense
Thursday, 10th December 2020 (online)
Video Recordings of talks from this event can be found here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_esmFlDmu7pmAMaL-nLxa6z
Event Agenda:
18:30 Introduction, OWASP News & Updates - Sam Stepanyan, Sherif Mansour & Andra Lezza
18:45 Talk 1 : “OpenSource Intelligence (OSINT) - Getting Started” - Siobhan Kelleher
19:30 Q & A
19:45 Talk 2 : “Detect complex code patterns using semantic grep” - Grayson Hardaway
20:30 Q & A
20:45 Closing remarks
Talk abstracts:
“OpenSource Intelligence (OSINT) - Getting Started”: As security professionals we use OpenSource Intelligence (OSINT) in one way or another almost every day of our lives. This talk will focus on using OSINT to find information about people. This can be a useful skill when trying to track a malicious user from email address to home address. It is also a very important topic to discuss in user awareness training to help prevent social engineering attacks like spear phishing. Additionally, there are opportunities where you can use your analytical skills to give back leveraging OSINT.
“Detect complex code patterns using semantic grep” : Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
SPEAKERS:
Siobhan Kelleher Siobhan Kelleher is a Senior Security Analyst at in the education sector. She has been in IT for over 8 years and worked in both government and corporate environments before joining higher ed. Prior to her career in Information Security she worked in Business to Business sales where OSINT and Social Engineering skills were vital to creating sales leads and closing deals. She carried this knowledge with her into Information Security and it helps her better educate end users on their vulnerability to social engineering attacks. It also comes in handy when building out her holiday card list.
Grayson Hardaway Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.
https://www.meetup.com/OWASP-London/events/274901611/
Tuesday, October 27, 2020
OWASP London / OWASP UK Secure Coding Tournament (CTF)
ARE YOU THE SECUREST OF THEM ALL?
Improve your secure coding skills and compete against the other OWASP chapters by joining the UK Wide OWASP Secure Coding Tournament!
The OWASP team will be kicking off with an opening ceremony at 6pm on Tuesday 27th October 2020. At the end of the tournament, there will be a closing ceremony at 6pm on Tuesday 3rd November.
The tournament allows you to compete against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. All challenges are based on the OWASP Top 10, and players can choose to compete in a range of software languages including Java EE, Java Spring, C# MVC, C# WebForms, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages.
Throughout the tournament, players earn points and watch as they climb to the top of the leaderboard. Individual winners (top three) will win awesome Secure Code Warrior hoodies, and 4th-10th place will all win a t-shirt!
The tournament is run virtually throughout the whole week so you can join through your laptop from the most convenient location and time. We normally recommend an hour or two to complete all of the challenges.
How to Join the Tournament
- Simply complete the form and we will send information with the next steps and your training token to join:
https://discover.securecodewarrior.com/OWASPUKtnmRegistrationLON.html
^Please register using the above URL NOW - once you have registered and create log in, you will have access to the platform and will be able to PRACTICE.
-
Please note that we will also send a separate Zoom Meeting invite later, so you could ask any questions and get expert if you get stuck or experience a technical issue with the SCW platform.
-
You can find tournament step-by-step guide here: SCW Tournament Guide : https://www.youtube.com/watch?v=0bPFS1tyNbM
-
Winners will be announced once the tournament has finished during a live-streamed closing ceremony at 6pm on Tuesday 3rd November. The winners will also be announced by email.
-
This is a UK OWASP tournament only. Prizes are only available to those part of OWASP UK chapters. OWASP Code of conduct applies - please treat everyone with respect and dignity
LIVE STREAMS:
Opening ceremony : Tuesday 27th Oct 6pm (UK time) - streamed via OWASP WIA YouTube at: https://youtu.be/Jfzm3Gt1GLU
Closing ceremony: Tuesday 3rd Nov 6pm ( UK time) - streamed via OWASP WIA YouTube at: https://youtu.be/2-9zIoen0r8
https://www.meetup.com/OWASP-London/events/273941192/
Wednesday, 7th October 2020 (online)
Video recording of this event is available on YouTube:
https://www.youtube.com/watch?v=Mp8RVCDYY38
TALK
The Cloud Migration Playbook - Part 1: A Simple Primer To Complexity” - Jason Sewell (PDF)
In this talk, we will go over an introductory overview on the common areas of AWS an organization should start to focus on as they prepare to migrate to the cloud, including both offensive techniques and defensive mitigation.
Speaker Bio - Jason Sewell Jason has over 15 years of experience as a web application and systems developer, in addition to over ten years in DevOps and systems architecture related roles. Jason began his journey into information security through necessity as he built skills and knowledge through his roles in leading internal initiatives for securing application and cloud infrastructure. After years of blue team and developer/devops roles, his interests centre around offensive security and wanting to help organizations actively find problems rather than just follow best practices and hope for the best.
Pentester Panel - moderated by Andra Lezza, Panelists:
-
Cayce Mahon Has over nine years of experience in Information Security. Originally graduating with an AFA in fine art , she took a unique path of education in regards to her transition into information security. Through persistence and self-study, she was able to obtain a Security+ and OSCP certification on her own. While at OccamSec, she has led and has been a part of a variety of offensive engagements in the realms of cyber and physical security (security/penetration testing of applications, network/physical infrastructure and systems) as well as risk assessment (architecture/policy review, vulnerability assessment, and employee interviews). Finding crucial fault points in an organization’s infrastructure while also adapting to the ever changing demands of the clients she works with.
-
Ivano Bianco Italian, with a fake Russian accent. Started using computers at the tender age of 11, by the age of 14 he switched from the BASIC language to Assembly and started to circumvent copy protections for fun. Spent the next 20 years working in IT Operations, keeping systems secure and automating deployments before job titles like “IT Security Engineer” and “DevOps Engineer” were a thing. Had the opportunity to cover technical hands-on roles for a multitude of SME and multinational companies such as: - Société Générale - H3G - Ericsson - Global Payments – Puppet. Nowadays he prefers to focus on penetration testing, web application testing (because breaking things is always fun), threat hunting and security awareness training. He still likes to figure out why a server is down, but will not fix your computer.
-
Nicholas Donarski Has been a pioneer in the Information Security field for over 20 years. During this time, he’s worked with a diverse client list which includes multinational and global organizations, Federal, State and Local government, and enterprises of all sizes. He is recognized in the international community as a senior authority on PenTesting strategy, operations, tools and training. Over the years, he’s continued to expand his experience in security to include network security, mobile, web, and application security, compliance, high threat physical security and RedTeam Operations. Recently, he’s focused on the development of security architecture and development around machine learning and Artificial Narrow Intelligence (ANI).
Thursday, 24th October 2019 (Central London)
Video recordings of talks from this event: https://www.youtube.com/playlist?list=PLmfxTKOjvC_cgoCVYWIuaHI0JJQ8vmvWo
Location: Aon, The Leadenhall Building, 122 Leadenhall Street, London, EC3V 4AN
Nearest Tubes: Bank (6 minute walk), Liverpool Street (9-minute walk), Aldgate(7-minute walk)
Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).
TALKS
OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Andra Lezza
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
“!Responsible Disclosure” - Dylan Wheeler and Sarah White
This talk discusses the hostile environments involved in reporting vulnerabilities and the lack of standardisation and laws protecting security researchers reporting vulnerabilities to vendors and organisations. Dylan and Sarah will present some real-world examples and outcomes and discuss common problems, such as what to do when there is no bug bounty program in place. The world of vulnerability disclosure can be treacherous, but if handled correctly it can be beneficial to all parties involved.
“Making Fact-Based Security & Risk Decisions (using OWASP Security bot & Data Science)” - Dinis Cruz
The way to create a modern and empowering security organisation, that both protects and empowers/enables the business, is to view the entire company and security ecosystem as a graph (where nodes are the multiple players and edges are the hyperlinked connections between them). This presentation will show real-world examples on how to use tools such as Jira, Slack, Jupyter notebooks, Lambda functions , Wardley Maps and OSBost to map and automate vulnerability and incident management workflows and ultimately empower the decision-makers by providing fact-based risk matrices and dashboards. This is the full version of the lightning talk presented at September 19th OWASP London meetup
Please note that the following talk will not be delivered due to illness - we wish Chrissy Morgan a speedy recovery
SPEAKERS
Dylan Wheeler (@degenerateDaE)
Dylan Wheeler is an independent security researcher, recently he and his team at Day After Exploit discovered many critical vulnerabilities in a major casino vendor, Atrient, leading to complete compromise of systems. This discovery also led to Wheeler being assaulted by Atrient’s CFO at the International Casino Expo (ICE) at London’s Excel Expo Centre. His work has been featured in numerous magazines and popular news website. Back in 2011 he was a former member of the Xbox Underground international hacking group. Since then he began a career as a white-hat security researcher.
Sarah White (@PolarToffee)
Sarah White is a Cyber Security student at the Royal Holloway University of London and a malware analyst working at Emsisoft, a fully remote antivirus company.
- cancelled due to illness
Dinis Cruz (@DinisCruz)
Dinis Cruz is a CISO at Revolut and a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions).
TICKETS
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that spaces are limited - you must register and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list: Get tickets on EventBrite: https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x7878484abcd
Thursday, 19th September 2019 (Central London)
Video recordings of talks presented at this event now available on YouTube: https://www.youtube.com/playlist?list=PLmfxTKOjvC_dbbuGb_s0ogfAld5spBiXn
Location: Goodman Masson, 120 Aldersgate Street, London, EC1A 4JQ
Nearest Tube: Barbican (1-minute walk)
Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).
TALKS
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Andra Lezza
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- OWASP Board Election Update - Sherif Mansour
OWASP Board of Directors Election 2019 Update
- “Hack the World & Galaxy with OSINT” - Chris Kubecka
The more we strive to connect every part the world with IT, IOT & ICS SCADA assets running on legacy and existing infrastructure with IPv6 and upcoming 5G & 6E. The risk of finding connected, insecure assets containing juicy info which can be leveraged by naughty groups rises. How easy is it to find vulnerable databases, solar panels, smart homes, washing machines, space IOT, maritime assets and critical infrastructure? Using OSINT Open source intelligence gathering, an important part of the reconnaissance phase of a application security penetration test. Learning what sources of information is available to start a penetration test is a crucial step in completing a thorough but effective exploration. Risks associated with leveraging, misusing or selling discovered material are all too real. Get your hoodie out and join us on a journey of discovery and exploitation of high profile industrial controls systems spanning land, sea, air and space using legal tools & techniques. Key takeaways include closing the gaps and securing these systems.
- Lightning Talk - “Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions” - Dinis Cruz
- “Common API Security Pitfalls” - Philippe De Ryck
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account? These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
SPEAKERS:
Chris Kubecka
Christina Kubecka, Security Researcher and CEO of HypaSec. Formerly, setting up several security groups for Saudi Aramco’s affiliates after the Shamoon 1 attacks. Implementing and leading the Security Operations Centre, Network Operation Centre, Joint International Intelligence Group and EU/UK Privacy Group for Aramco Overseas Company. With >20 years of professional experience in the field, her career includes the US Air Force, Space Command, private and public sector. GIAC GPEN certification training & teaches penetration testing on IT, IoT & ICS. Chris has been featured in the media with Viceland News’ Cyber Warfare series, Hacking the Infrastructure, CNN, Fox News, and other news outlets. Chris is currently the Executive Secretary on the board of Geeks Without Bounds, and advises and lectures as an expert for several markets and governments.
Philippe De Ryck
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.
TICKETS:
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
Register to attend this event at Eventbrite:
https://www.eventbrite.co.uk/e/71739886933
Code of Conduct:
We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies
Thursday, 18h July 2019 (Canary Wharf)
Location: Revolut , The Columbus Building, 7 Westferry Circus, Canary Wharf, London, E14 4HD
Nearest Tubes: Canary Wharf (7-minute walk - take Canada Square exit), Canary Wharf DLR (7-minute walk)
Time: Doors Open at 6:00pm for registration, food, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Andra Lezza
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- Lightning Talk - “Scaling Security - Move fast and make things” - Paul Heffernan (PDF)
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
- “Hack In, Cash Out: Hacking and Securing Payment Technologies” - Tim Yunusov (PDF)
Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today.Next we’ll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud detection mechanisms, and how they ultimately cash out.
- “Advanced Bots and Security Evasion Techniques” - David Warburton (PDF)
Bots are generally seen as a bit of a nuisance and widely regarded as the weapon of choice for DDoS attacks. However, modern bots are capable of much more and are claimed to be behind three quarters of all attacks that hit web sites and APIs. Techniques such as rate limiting, IP blacklisting and even CAPTCHAs often do little to prevent the attacks as they evolve, evading controls which try to differentiate between bots and humans. In this session we’re going to look at what bots are and how they’re created, what they’re now capable of, which industries are most affected by them and how they are evolving to avoid our current defences.
SPEAKERS:
Paul Heffernan
Paul is the CISO at Revolut, a UK based financial technology company that offers banking services to over 3 million customers worldwide. With over 10 years of experience in the cyber security world, including consulting to some of the world’s biggest brands, he believes the role of the security professional is to enable trust. Entering the industry from an ‘ethical hacker’ background, he deeply understands technical security challenges but is equally passionate about driving effective change through unambiguous leadership. Paul is a regular international speaker at various industry conferences such as the e-Crime Congress, CSO Amsterdam and CISO360 Barcelona. He also sits as an advisory board member of ClubCISO, a private members forum for European information security leaders, working in public and private sector organisations.
Tim Yunusov
Tim Yunusov is the Senior Expert of Banking systems security and author of multiple research in the field of application security, including “Bruteforce of PHPSESSID,” rated in Top Ten Web Hacking This includes techniques of 2012 by WhiteHat Security and “XML Out-Of-Band” shown at the Black Hat EU 2013. Timur is a professional application security researcher who has previously spoken at Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, CanSecWest, Hack In Paris, ZeroNights and Positive Hack Days
David Warburton
David Warburton is an information security threat researcher and evangelist for F5 Labs and frequently speaks at conferences and with customers all over the world. His focus areas of research are on SSL/TLS and other cryptographic protocols and certificates, digital identity, web application security, information risk management and compliance & regulation. A recent alumni of Royal Holloway University where he wrote his MSc dissertation on IoT Security, he now works on identifying emerging cyber threats, producing actionable intelligence reports and consulting on cyber security strategy within public sector, retail and financial organisations.
TICKETS & ID REQUIREMENT:
IMPORTANT - PHOTO ID REQUIRED: The Columbus Building security requires all visitors to show a form of Photo ID matching the name on the ticket.
Please note that space at this event is limited, so please only book tickets if you are able to attend.
Registration at EventBrite:
Women In AppSec (OWASPWIA) Meetup - Wednesday, 17th April 2019 (Central London)
Details and Registration:
https://www.meetup.com/womeninappsec/events/259867481/
Thursday, 4th April 2019 (Central London)
Video Recording of this event can be viewed on YouTube: https://www.youtube.com/playlist?list=PLmfxTKOjvC_eaghkijhbDD4cygolu8bRf
Location: Facebook, Facebook London, 1 Rathbone Square, London, W1T 1FB
Nearest Tubes: Tottenham Court Road (3-minute walk), Oxford Circus (8-minute walk)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Andra Lezza
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- “Move Fast and Secure Things (with Static Analysis)” - Ibrahim Mohamed El-Sayed (PDF)
This talk focuses on how to use static analysis to improve the security posture of a company. Inside the talk, we dive into example of bugs that can be detected with static analysis, the different modes of static analysis being used inside facebook as an example of how to move fast and secure the codebase. We then move into challenges and limitations of static analysis and we end up with some numbers to demonstrate how helpful is static analysis in the detection of security bugs
- Lightining Talk - “Remediate the Flag: Practical AppSec Training Platform” - Andrea Scaduto (PDF)
This lightening talk is about RTF, an open source platform that hosts appsec exercises for developers. Candidates manually remediate the code of a vulnerable application running in a disposable development environment accessed using a web browser. The platform provides automated results, a point system with trophies, and the ability to create time-boxed tournaments. The talk will include a live demo and introduce what’s coming next.
- Due to illness this talk was not delivered on this date
- Creating a graph based security organisatio “ - Dinis Cruz (Slides: https://www.slideshare.net/DinisCruz/creating-a-graph-based-security-organisation-apr-2019-owasp-london-chapter-meeting)
The way to create a modern and empowering security organisation, that both protects and empowers/enables the business, is to view the entire company and security ecosystem as a graph (where nodes are the multiple players and edges are the hyperlinked connections between them). The key strategy is to view everything as projects, with all resources connected digitally and a model that rewards the maximum visibility of risks and tasks
SPEAKERS:
Ibrahim Mohamed El-Sayed
Ibrahim Mohamed El-Sayed is a Security Engineer, based at Facebook’s London HQ. Ibrahim focuses on using Static Analysis for security bug detection. He spends most of his time improving static analysis tools and writing new rules to detect new type of security bugs. In addition to static analysis Ibrahim also participates in CTFs on a regular basis. As a security researcher Ibrahim has been acknowledged by many companies for security findings in their products. Some of these companies are PayPal, Etsy, Google, Adobe, Microsoft, Yahoo, AT&T, Dell, Deutsche Telekom and others.
Andrea Scaduto
Andrea is a Senior Penetration Tester and Software Engineer with a MSc in Computer Engineering and several IT Security certifications. He enjoys breaking, building and securing web and mobile applications, and he has an extensive knowledge of secure coding techniques and a focus on reducing the cost of fixing vulnerabilities at scale.
Leigh-Anne Galloway
Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organisations on how best to secure their applications and infrastructure against modern threats. Leigh-Anne started her career leading investigations into payment card data breaches, where she discovered her passion for security advisory. She has spoken at many conferences including DevSecCon, BSides, InfoSec Europe, Hacktivity, 8dot8, Blackhat EU and Troopers.
’'’Timur Yunusov ‘’’
Tim Yunusov is the Senior Expert of Banking systems security and author of multiple research in the field of application security, including “Bruteforce of PHPSESSID,” rated in Top Ten Web Hacking This includes techniques of 2012 by WhiteHat Security and “XML Out-Of-Band” shown at the Black Hat EU 2013. Timur is a professional application security researcher who has previously spoken at Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, CanSecWest, Hack In Paris, ZeroNights and Positive Hack Days
TICKETS and ID REQUIREMENT:
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
IMPORTANT: Facebook security rules require that all event attendees need to bring a form of Photo ID such as driving license or passport . The name on the ID document must match the name on the ticket.
Register to attend this event at Eventbrite:
Code of Conduct:
We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies
Monday, 25th February 2019 (Central London)
’'’Location: ‘’’ Photobox, Herbal House, 8-10 Back Hill, London, EC1R 5EN
Nearest Tubes: Farringdon (7-minute walk), Chancery Lane (9-minute walk)
Time: Doors Open at 7:00pm for registration, pizza, drinks and networking. The talks start at 7:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan & Sherif Mansour
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- ’ “Introducing the OWASP Application Security Verification Standard (ASVS) v4.0” - Andrew van der Stock (@vanderaj)’ (PDF)
Come learn about the completely new OWASP Application Security Verification Standard 4.0: what’s changed, what’s the same, and how you can use it for security architecture, agile security, secure coding and secure code reviews, unit and integration test cases, and now with 100% L1 support for penetration tests. The ASVS is the most comprehensive developer-focused application security standard, developed entirely in the open with contributions from all over the world. Over the last 10 years, adoption of the ASVS has become mainstream and it should replace the OWASP Top 10 in almost all situations. Learn how you can use the ASVS in your day to day life no matter if you’re a coder, a security professional, or a tool vendor. ASVS version 4.0 will be released at the nullcon conference on Friday 1st March 2019, so Andrew will really appreciate constructive heckling, calling him out on vague points or any help to make the final release presentation better.
- ’’’ “ Open Security Summit 2019” - Dinis Cruz (@diniscruz) ‘’’
Open Security Summit 2019 is focused on the collaboration between, Developers and Application Security. Using the same model as the previous OWASP Summits, this 5-day summer event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Dinis will introduce this year’s event and the collaboration topics.
SPEAKERS:
’'’Andrew van der Stock (@vanderaj) ‘’’
Andrew van der Stock is a long time contributor to OWASP dating back to 2002. He has worked in the IT industry for over 20 years and is a seasoned web application security specialist and enterprise security architect. Andrew was the project lead and lead author of the OWASP Developer Guide 2.0, the Project Leader of OWASP Top 10 and is currently the Project Leader of the OWASP Application Security Verification Standard (ASVS). He has been on the OWASP Global Board since 2015. Andrew is also the senior principal consultant at Synopsys.
Dinis Cruz (@diniscruz)
Dinis Cruz is the CISO of Photobox and a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications..
TICKETS :
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
Register to attend this event at Eventbrite:
Wednesday, 13th February 2019 (Central London)
’'’Location: ‘'’Amazon, 1 Principal Place, 115 Worship Street, EC2A 2FA, London
Nearest Tubes: Liverpool Street (6 minute walk), Old Street (11 minute walk), Shoreditch High Street Overground (8 minutes)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- ’'’OWASP Introduction, Welcome and News - Sam Stepanyan & Sherif Mansour ‘’’
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- ’ “Introducing the OWASP ZAP Heads Up Display (HUD)” - Simon Bennetts (@psiinon)’
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. It has a powerful desktop UI, a highly functional API and is used by everyone from people new to security, including developers and QA, right up to professional pentesters. It’s also more complex for newcomers than we would like. We are therefore introducing a new Heads Up Display (HUD) interface which overlays data and controls for ZAP over the web based application being tested.
- ’’’ “Incident Response in Your Pyjamas” - Paco Hope (@pacohope) ‘’’ (Slides PDF)
When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. Getting on airplanes and going to data centres means you have to get dressed, and that’s a drag. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He’ll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas.
- ’’’ “Developers - The Lucrative Target for Social Engineers” - Stuart Peck (@cybersecstu) ‘’’
Developers are a lucrative target for attackers, especially those with public profiles, active on social media, and working on either high profile application and open source projects. The recent attack against an NPM package with malicious code that targeted a popular Bitcoin wallet was subject to a social engineering attack, where the attacker was able to trick the maintainer to hand over ownership, is one of the many examples this is an ever increasing vector This talk looks to explore how exposed some developers are and the impacts this can have either through the supply chain and/or directly to organisations. During this talk will we will demonstrate and discuss: Open Source Intelligence- recon techniques; Profiling targets, repos, developer backgrounds, coding style, digital footprint; Pretext creation – building trust and establishing legitimacy; Example Vishing calls, phishing emails, and case studies; What developers can do to challenge and reduce the impact of Social Engineering
SPEAKERS:
Simon Bennetts (@psiinon)
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and works for Mozilla as part of the Cloud Services Security Team. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Paco Hope (@pacohope)
Paco Hope is a Principal Consultant in Security, Risk, and Compliance for Amazon Web Services. He helps enterprise customers achieve compliance and secure their workloads on AWS. Based in London, he works with major enterprises across Europe and the UK migrating workloads and building new applications on AWS. Prior to his work with AWS he worked in application security, carrying out threat modelling, source code reviews, and architectural risk analysis for enterprises.
Stuart Peck (@cybersecstu)
From a background of threat intelligence, social engineering and incident response, Stuart Peck heads up Cyber Security Strategy for ZeroDayLab and co-founder and podcast host of The Many Hats Club, a large information security community. Stuart is passionate about educating organisations on the latest threat actor techniques and how to combat them. In addition, he has won awards for his education and training programs delivered to throughout the Europe and USA. As a practicing social engineer he managed large scale engagements in banking, gambling/gaming, retail, software, insurance etc. Stuart’s key areas of expertise include: the dark and deep web, social engineering, incident response management, threat hunting, OSINT, OPSEC, and cyber-crime. He has also led investigations in many major security incidents, including global ransomware outbreaks. Stuart is a regular contributor on Social Engineering to many leading blogs including Security Affairs, Bleeping Computers, The State of Security and is published in many leading Journals including the ISSA and quoted in mainstream media.
TICKETS and PHOTO ID REQUIREMENT:
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
IMPORTANT: Amazon security rules require that all event attendees need to bring a form of Photo ID such as driving license or passport . The name on the ID document must match the name on the ticket.
Register to attend this event at Eventbrite:
IMPORTANT: Amazon security rules require that all event attendees need to bring a form of Photo ID such as driving license or passport . The name on the ID document must match the name on the ticket.
Code of Conduct:
We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies
Wednesday, 9th January 2019 (Central London) OWASP London CTF For Developers
OWASP London Chapter is pleased to announce the 2019 OWASP London CTF Tournament for Application Developers.
CTF (Capture The Flag) is a type of computer security competition. Contestants are presented with a set of challenges and puzzles which test their creativity, technical coding (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories and when solved, each yields a “flag” which is submitted to a real-time scoring service. The difficulty levels are from beginner to advanced. CTF tournaments are a great and fun way for software developers to learn a wide array of cyber security / application security skills in a safe and legal environment. Top scorers will win prizes kindly donated by the cyber security technology vendors. Most programming languages supported. IMPORTANT: Please bring your own LAPTOP and a charger for it to this event
This event is kindly sponsored and hosted by Just Eat.
Location: JUST EAT, Fleet Place House, 2 Fleet Place, London EC4M 7RF (entrance opposite Starbucks front doors)
Nearest Tube: St. Paul’s (7 minute walk)
Doors Open at 6pm, the CTF starts at 6:30pm (we start on time).
CTF Ticket Booking
This event is free to attend for both members and non-members of OWASP and is open to any application developers interested in web application security. Please note that you MUST book your place to be admitted to the event by the building security.
Tickets at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-ctf-for-developers-tickets-54130947120?aff=ws
Thursday, 22nd November 2018 (Central London)
’'’Location: ‘'’Microsoft Reactor, 70 Wilson Street, London, EC2A 2DB
Nearest Tubes: Old Street (7-minute walk) ,Moorgate (7-minute walk), Liverpool Street (7-minute walk)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
Video recordings of talks from this event can be viewed here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_fW-BuQI76GJEjQG5ymYkxq
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Greg Fragkos
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- ’ “We Are All Equifax: Data Behind DevSecOps” - Stefania Chaplin’ (PDF)
In March 2017 hackers took three days to identify and exploit a new vulnerability in Equifax’s web applications. In the post-Equifax world, moving new business requirements (e.g., a non-vulnerable version of Struts2) into production in under three days might just be your new normal. Find out what the analysis of 17,000 applications reveals about the quality and security of software built with open source components. Join this session to better understand how DevSecOps teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks.
- ’’’ “I know what you did last summer: New persistent tracking mechanisms used in the wild” - Dr. Alexios Mylonas ‘’’ (Slides PDF) (Research Article PDF)
Web Storage, Indexed Database API and Web SQL Database allow web browsers to store information in the client in a much more advanced way compared to other techniques, such as HTTP Cookies. They were originally introduced with the goal of enhancing the capabilities of websites, however, they are often exploited as a way of tracking users across multiple sessions and websites. The presentation will be divided into two parts. First, it will quantify the usage of these three primitives in the context of user tracking. This is done by performing a large-scale analysis on the usage of these techniques in the wild. The second part reviews the effectiveness of the removal of client-side storage data in modern browsers.
SPEAKERS:
Stefania Chaplin
Stefania Chaplin (@DevStefOps) is a Solutions Engineer at Sonatype. At Sonatype Stefania is responsible for helping customers understand and implement DevSecOps across the EMEA region. Stefania holds a BSc degree in Computer Science from the University of Manchester and has a backgroud as a Python/Java developer. She enjoys the challenge of improving the quality of software across different languages and ecosystems. Stefania is passionate about women in technology and is Founder and President of ‘Women at Sonatype’. She has spoken about DevSecOps at many conferences and meetups across Europe including; JavaZone in Norway, JFokus in Sweden and Cloud Expo, Women of Silicon Roundabout and Women in DevOps in London.
Dr. Alexios Mylonas
Dr. Alexios Mylonas is the program leader of the BSc Forensic Computing and Security at Bournemouth University and he is also a member of the BU Cybersecurity Research Group. His teaching and research focuses on Cyber Security and Digital Forensics. Before starting his academic career he was a security consultant working within VeriSign’s PKI Trust Network. He holds a PhD degree in Information and Communication Security and a BSc (Hons) in Computer Science from the Athens University of Economics and Business, as well as an MSc in Information Security from Royal Holloway. Dr Mylonas holds more than 20 well referenced, esteemed journal and conference publications.
TICKETS:
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
Register to attend this event at Eventbrite:
Code of Conduct:
We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies
Wednesday, 24th October 2018 (Canary Wharf)
’'’Location: ‘'’J.P. Morgan, 25 Bank Street, Canary Wharf, London, E14 5JP
Nearest Tubes: Canary Wharf (5-minute walk - take Canada Square exit), Heron Quays DLR (2-minute walk)
Time: Doors Open at 6:00pm for registration, food, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Greg Fragkos
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- ’ “If You Liked It, You Should Have Put Security On It” - Zoë Rose’ (PDF)
We no longer live in a world where ignorance on security is even remotely okay, you can’t breach a data protection act with the defence that ‘oops we didn’t realise’. Not only will you owe major fines, but your reputational damage will be extravagant. Why is it then, in the media seemingly every day, an insane breach is reported? The reality is, we live in a world of fail by design more than security or privacy by design. The challenge is: * Security is confusing, it is this confusion that leads to negativity and enables a shift to being a taboo topic. * We need things to ‘just work’ across all situations, environments, and work consistently with a quick to market and competitive price. How did we get here? Well, let’s face it, we created a no win market, that organisations can’t possibly compete with. There is hope, as the world changes it’s approach, which we are doing slowly, we can become a safer and more secure world. In this talk, we will be looking at how to make that first step in our personal and professional lives. Including the steps we can take to change the market to value us and our personal data.
- ’ “Lessons From The Legion (The OWASP London Remix)” - Nick Drage’ (PDF)
Look at your job, your colleagues, your industry. Smart people, working hard… and yet it feels like we’re losing. Why? Cyber security has always been a technology driven, engineer led industry - vague default strategies have emerged from the tactics and point solutions chosen by self-taught practitioners based on what fits in with their preferred ways of working and studying. We need better strategies, we can learn them from other contexts and conflicts to improve our own methods and practices.Would you like to start winning?
- ’ “A Holistic View On Cyber Security In Evolutionary Terms (food-for-thought)” - Dr. Grigorios Fragkos’ (PDF)
The Red Queen hypothesis, also referred to as the Red Queen effect, is an evolutionary hypothesis which proposes that organisms must constantly adapt, evolve, and proliferate not merely to gain a reproductive advantage, but also simply to survive while pitted against ever-evolving rival organisms in a continuously changing environment. Let’s explore under a Cyber lens this evolutionary hypothesis in contrast to the evolving (cyber)threats and our adaptation (as professionals) to equally evolve our Cyber Resiliency capabilities (as an industry). This presentation is an opportunity to explore as professionals our security mindset and draw some personal conclusions on our Cyber Security culture in order to better ourselves. From user awareness all the way to Cyber Resilience, from developing by writing secure code to the effort it takes in breaking it, from gaps in hiring talents to hiring for the right reasons, this brief session is intended to spark a personal “eureka” moment in the mindmap of each security professional inside and outside the room.
SPEAKERS:
Zoë Rose (@5683Monkey)
Zoë Rose is a highly regarded hands-on cyber security specialist, who helps her clients better identify and manage their vulnerabilities and embed effective cyber resilience across their organisation. Whilst retaining deep technical expertise, Zoë has developed extensive experience in designing and executing cyber security awareness programmes focused on helping people become more aware of cyber threats. Zoë also supports ethical hacking and incident response engagements and advises on best practice software development and secure systems architecture. Zoë is a Cisco Champion and certified Splunk Architect, who frequently speaks at conferences and is quoted in the media, and most recently featured in Vogue Magazine.
Nick Drage (@SonOfSunTzu)
Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was “SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.
Dr. Grigorios Fragkos (@drgfragkos)
Dr. Grigorios Fragkos (aka Greg) is based in London and is currently part of the EY Cyber team in OTS/TAS, delivering excellence in a globally market-leading proposition that helps decision makers in multi-million investments to identify and quantify the risk-exposure in existing and emerging Cyber threats. With 20 years of experience, Greg has engaged with companies around the world sharing his expertise and ensuring that business entities within different sectors (such as banking, payments, maritime, defense & space) have in place security-in-depth practices against emerging Cyber threats. His background includes thought-leading security research, experience in defending mission-critical systems and leading technical security assessments, exposure to the CyberDefense department of the military and, identifying security gaps in the payments industry (fintech) while protecting high-value assets. He has a BSc in Software Engineering, an MSc in Computer Systems Security and designed the intelligent engine of a next-generation SIEM with “notional understanding” of network events (type of Machine Learning) for real-time Threat Assessment. His background, experience and studies, which include the acceptance at the Applied Cyber Security at MIT, are considered invaluable when it comes to identifying the hidden risks and safeguarding complex digital ecosystems. Greg has been invited to present in a number of security conferences, workshops and summits over the years. Among other responsibilities, he is assisting ENISA as part of the NIS Experts in reviewing and designing incidents for Cyber Europe, he is the organizer for Security BSides Athens and Security BSides Amsterdam, and last but not least, part of the OWASP London Chapter leaders. Thinking ahead and outside-the-box when dealing with information security challenges, is one the key characteristics of his talks.
TICKETS:
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and cyber security. Please note that you MUST REGISTER to book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.
Register to attend this event at Eventbrite:
Thursday, 6th September 2018 (Central London)
Video recordings of talks are available to watch on YouTube here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_fNR1aZYJS8BxQZ802sNz53
’'’Location: ‘'’Facebook, Facebook London, 1 Rathbone Square, London, W1T 1FB
Nearest Tubes: Tottenham Court Road (3-minute walk), Oxford Circus (8-minute walk)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Greg Fragkos
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- “Bug Hunting Beyond facebook.com” - Jack Whitton
Facebook’s Whitehat bug bounty program receives 1000’s of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook’s Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of “facebook.com”.
- Lightning Talk - “Open Source for Young Coders” - Hackerfemo (PDF)
Inspirational 12 year old Hackerfemo will tell us all about how open source helps him run coding and robot workshops for 10-16 year olds throughout the world.
- “Reviewing and Securing React Applications” - Amanvir Sangha ( interactive slides: https://github.com/amanvir/owasp-fb-react )
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them
- Ligthning Talk - “Introducing OWASP Amass Project” - Jeff Foley (remote) (PDF)
Jeff will introduce the OWASP Amass project - a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks.
SPEAKERS:
Jack Whitton
Jack Whitton is a Security Engineer, based at Facebook’s London HQ. Jack focuses primarily on the Whitehat program, which involves interacting with the security community who find vulnerabilities in Facebook-family products, in addition to working with internal teams to ensure code is shipped securely. Prior to joining Facebook in 2016, he was one of the top researchers in the Whitehat program.
Amanvir Sangha
Amanvir Sangha is a Software Security Consultant as Synopsys primarily focused on source code review, developer training and modern web application security. In the past he has worked as a software and security engineer helping developers write secure code.
Hackerfemo (Femi Owolade-Coombs)
Femi Owolade-Coombs—also known as Hackerfemo—is one of the youngest hackers and public speakers you’ll ever meet. Femi has been coding since he was 9 years old. After learning to hack Minecraft using Python on a Raspberry Pi, Femi set up ‘South London Raspberry Jam’ meetups to share his passion for coding with other young people. Owolade-Coombes has since run hundreds of coding and robot workshops throughout the world. In 2017, he won a Diana Award where he was invited to St James’ Palace and presented with his award by the Duke of Cambridge and Prince Harry.
Jeff Foley
Jeff serves as CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. In his spare time, Jeff enjoys experimenting with new blends of coffee, supporting local university’s information security programs, and participating in information security competitions, such as DEFCON Capture The Flag
TICKETS and ID REQUIREMENT :
This event is free to attend for both members and non-members of OWASP. Please note that you MUST REGISTER to book your place and to be admitted into the building.
IMPORTANT: Please note that Facebook building security rules require that each attendee must bring and show to Facebook security guard a form of ID such as driving license, passport or credit/debit card. The name on ID must match the name on the ticket.
Register to attend this event at Eventbrite:
Thursday, 30th August 2018 (Central London)
’'’Location: ‘'’Microsoft Reactor, 70 Wilson Street, London, EC2A 2DB
Nearest Tubes: Old Street (7-minute walk) ,Moorgate (7-minute walk), Liverpool Street (7-minute walk)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
Video recordings of talks from this event can be viewed here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_fB5smKaGO5w8w6iXSQ5YMp
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Greg Fragkos
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders.
- ’ “From zero to hero: building security from scratch” - Anthi Gilligan’ (PDF)
Breaches mean financial, regulatory, legal, and above all reputational repercussions. Organisations are quick to react, however with security professionals in high demand and low supply, there has been an increase in individuals jumping on the “cybersecurity” bandwagon. In this talk, we discuss the pitfalls of the inadequately qualified “cybersecurity expert”, and examine the building blocks of a solid information security management system
- “Smart Contract Security” - Evangelos Deirmentzoglou (PDF)
Dapps and many Initial Coin Offerings (ICOs) run on smart contracts and tend to process a substantial amount of funds. This makes them a target, and therefore they often undergo attacks. Combined with the blockchain immutability, vulnerabilities undiscovered during development will exist forever in the blockchain. This talk will dive into the most common smart contract security vulnerabilities and provide in-depth knowledge on how these issues occur and their mitigation. Real world examples will be discussed and vulnerabilities like re-entrancy, overflows, gas limit attacks etc. will be demonstrated
- ’'’Lightning Talk: “Driving OWASP ZAP using Selenium” - Mark Torrens (PDF)
OWASP ZAP is great tool but it’s not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.
SPEAKERS:
Anthi Gilligan
Anthi (@AnGreagach) is an application security engineer at Logitech and has sole responsibility for the company’s vulnerability management, penetration testing and security engineering functions. She has previously held the position of principal security architect for a large Irish banking institution, and acted as a lead pen tester for a consultancy company. Anthi is on the organising committee of Security Bsides Athens and is currently leading the efforts to bring Security Bsides conference to Dublin. She holds a number of academic and professional security qualifications, and loves dogs.
Evangelos Deirmentzoglou
Evangelos Deirmentzoglou (@edeirme) joined the open source community in the winter of 2015 by contributing to Ncrack. In the summer of 2017 he took part in Google Summer of Code 2017 under the guidance of Fotis Chantzis in order to work on Nmap and Ncrack. He currently works as a Security Engineer at Positive Technologies, conducting code auditing, mobile & web penetration testing and smart contract security assessments. He is researching a cybersecurity PhD and focuses on source code analysis, which he has applied for a number of major U.S technology vendors, Fortune 500 companies, banks and medical institutions.
Mark Torrens
Mark Torrens works for Kainos as a Security Architect and this year is completing an MSc in Cyber Security at the University of York.
TICKETS:
This event is free to attend for both members and non-members of OWASP. Please note that you MUST REGISTER to book your place and to be admitted into the building.
Register to attend this event at Eventbrite:
Thursday, 26th April 2018 (Central London)
This event was kindly hosted and sponsored by EY (Ernst & Young LLP)
Video recordings of talks presented at this event can be found here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_fEW9rtZVbufQngXmRdfgnz
’'’Location: ‘'’EY, 1 More London Riverside, London, SE1 2AF (please note: there are two EY offices on the same street - No 1 and No 6, the event will take plact at Number 1 More Place)
Nearest Tube: London Bridge (5-minute walk)
Time: Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)
TALKS:
- OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour & Greg Fragkos
Welcome and a brief update on OWASP Projects & Events from the OWASP London Chapter Leaders. Welcome from Ian McCaw, Associate Partner, Operational Transaction Services, EY.
- “Is There Room for SecArch in DevSecOps?” - Dimitrios Petropoulos (PDF)
If security is (still?) an afterthought, is shifting security to the left with automation enough for DevSecOps to deliver on its promises in the era of software at the speed of thought?
- Lightning Talk: “Introducing Remediate the Flag: a Hands-On AppSec Training Platform” - Andrea Scaduto (PDF)
Developers aren’t born knowing how to code securely and AppSec training often lacks provide practical examples. This talk introduces, RTF an open source AppSec training platform that offers hands-on exploitation, remediation, and secure coding exercises
- “SCADA and Other Dangerous Things” - Professor Andrew Blyth (PDF)
This talk will discuss a forensic readiness approach to SCADA and IPCS. Through a series of case studies we will discuss forensic requirements as they relate to SCADA and IPCS. We will also define a forensic readiness model in response to these requirements.
- Lightning Talk:” Security Testing Automation via Jenkins and Threadfix” - Lucian Corlan & Nikos Savvidis (PDF)
This lightning talk will show you: how we have architected and configured our Security Jenkins pipeline to perform security tests, how Threadfix helps to achieve automation (use cases), how can Security Champions help to achieve the above
SPEAKERS:
Andrew Blyth
Professor Andrew Blyth received his PhD in Computer Science in 1995 at Newcastle University, UK. He is currently director of the Cyber Defence Centre at the University Of South Wales. Over the past twenty years he has spent much of his time working and publishing in the area of computer forensic and Computer Network Defence. Andrew and his Information Security Research Group has delivered ground-breaking work in the area of computer network defence over the years. He has published numerous conference/journal papers in the areas of computer network defence and computer forensics, with key highlights including: a) The first forensic analysis of games consoles such as the X-Box and Play-Station, b) first forensic analysis of automobile engine management systems and c) develop and deployment of forensic capability in the automobile engine management systems and SCADA/IPCS. In addition, Professor Blyth, is also lead examiner for the GCHQ accredited Tiger Scheme. He is the author of the “Information Assurance: Surviving in the Information Environment” book that has become the cornerstone of knowledge for every Information Security professional in the past 15 years. Many well-known security professionals and cybersecurity experts across different industries worldwide, have been taught and trained under his watch over the past 20 years. (@ajcblyth)
Dimitrios Petropoulos
Over the last thirty years, Dimitrios Petropoulos has been developing security middleware, designing enterprise security architectures, performing security R&D, conducting technical security assessments and advising on security strategy across EMEA. He is currently a Principal for DXC’s Security Advisory practice
Andrea Scaduto
Andrea is a Penetration Tester and Software Engineer. He is specialised in Web/Mobile applications security and development and he has an in-depth experience in defensive techniques for secure coding, aiming at the optimisation of costs in addressing security issues.
Lucian Corlan
Lucian is a Director of Application Security at SagePay. Lucian holds a number of security certifications – MSc ITSec, MA Security Studies, CISSP, CSSLP (a), CISM, CISA, CEH, OSCP, SABSA Foundation and has previously worked for Betfair in the InfoSec/AppSec Manager and Acting Head of AppSec roles. Lucian has also led one of the Romanian OWASP Chapters and is still involved in OWASP. Before that he worked for several multi-national organisations in the banking (chip card security & app security) and telecom (infra & app security) sectors. If there’s any free time left…, he spends it meddling with astronomy (planetary & galactic), reading philosophy/crypto detective books and dissecting bits of geo-economy politics.
Nikos Savvidis
Software engineer with a strong interest in application security and embedding security in the SDLC, having previous experience in companies ranging from a start-up with 15 employees, to a big enterprise with >10k employees.
TICKETS:
This event is free to attend for both members and non-members of OWASP. Please note that you MUST REGISTER to book your place and to be admitted into the building.
Register to attend this event at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-26th-april-2018-630pm-tickets-45216218928?aff=ws
Thursday, 19th April 2018 (Central London)
OWASP Bristol / OWASP London Chapter Joint Event - Live Stream Viewing Meetup in London
This event is kindly sponsored and hosted by: Just Eat
PLEASE NOTE: The talks will take place in Bristol and will be streamed to Just Eat London office where the audience will have a chance to watch the talks streamed live on a big video screen and participate in live Q&A with the Speakers.
Location: Just Eat PLC, Fleet Place House, 2 Fleet Place, London, EC4M 7RF (entrance is opposite Starbucks front doors)
Nearest Tube: St Paul’s (7-8-minute walk). Farringdon and Chancery Lane tubes are within 10-minute wak.
Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).
TALKS
- OWASP Update
Welcome and a brief update on OWASP Projects & Conferences from the OWASP Bristol and London Chapter Leader
- ’’’ “Application Hacking Through The Eyes of an Attacker” - Rob Hillier ‘’’
This talk will look at a capture the flag challenge which I enjoyed doing and found captured nicely an attackers mindset when they look at an application and chain vulnerabilities, it also give practical walkthrough of how to leverage them. It is a technical talk that will cover:
- * Basic Application Reconnaissance
- * Using Local File Inclusion (LFI)
- * Attacking Flask (A python lightweight web server)
- * Exploiting Server Side Template Injection
- * Breaking out of a python sandbox
- “Exploiting Unknown Browsers and Objects” - Gareth Heyes
Browsers are embedded everywhere, from popular applications like Steam and Spotify to headless crawlers, IoT devices and games consoles. They execute JavaScript but you don’t have a dev console and some don’t even allow you to interact with them. Many add custom JavaScript objects and functions but how can you discover all this hidden treasure without any dev tools? My talk introduces a new tool for your arsenal that allows you to inspect and exploit these unknown entities. The Hackability inspector is the missing offensive dev toolkit for security researchers.
SPEAKERS
Rob Hillier
Rob is a passionate senior security consultant working for XQ Cyber delivering web application and infrastructure consultancy to government and FTSE 500 organisations. He is a Check Team Leader in Infrastructure and also holds the OSCP qualification but mostly just loves the challenge of the technical aspects of security (Not only the breaking things but how to fix them too!). When not working you will often find Rob playing CTFs, building labs (to break them) or sat on the beach waiting for enough wind to kitesurf.
Gareth Hayes
Gareth works as a researcher at PortSwigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed code.
TICKETS
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and cyber security. Please note that spaces are limited and you MUST book your place and get a ticket to be admitted to the event by the building security.
Register to attend this event at EventBrite: https://www.eventbrite.co.uk/e/owasp-bristolowasp-london-joint-event-live-stream-viewing-meetup-tickets-44964274355?aff=ws
Thursday, 22nd February 2018 (Central London)
OWASP London Chapter Meeting
This event is kindly sponsored and hosted by: Capital One
Location: Capital One, White Collar Factory, 1 Old Street Yard, London, EC1Y 8AF
Nearest Tube: Old Street (1-minute walk)
Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).
TALKS
- OWASP Introduction, Welcome and News - Sam Stepanyan
Welcome and a brief update on OWASP Projects & Conferences from the OWASP London Chapter Leader
- “Application Security Strategy and AST Lifecycle” - Ilia Kolochenko (PDF)
In the era of DevSecOps, CI/CD and Agile development many companies still become victims of disastrous data breaches caused by insecure applications. The presentation explains an application security strategy to reduce costs and assure holistic Application Security Testing (AST) of corporate web and mobile applications. The talk will also encompass application inventory and discovery, vulnerability correlation, virtual patching and practical usage of Machine Learning in application security.
- “Universal Second Factor authentication, or why 2FA today is wubalubadubdub?” - Yuriy Ackermann (PDF)
Today main 2FA solutions are OTP(TOTP, HOTP), RSA keys and SMS. All these solutions lack UX, security and privacy, easy to phish, and mostly not standardised. In this talk we will introduce FIDO U2F protocol, talk about its key strength, overview the protocol, discover how it works, how it mitigates attacks, what solutions there are on the market and who uses it, and for desert do some demos.
SPEAKERS
Ilia Kolochenko
Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, he founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for web applications that was globally launched in 2014 under ImmuniWeb® brand. Afterwards, Ilia designed and managed implementation of numerous machine learning technologies for ImmuniWeb. Ilia is a contributing writer for CSO magazine, SC Magazine UK, Dark Reading and Forbes, mainly writing about cybercrime and application security. He is also a member of the Forbes Technology Council. In 2016 he received “Forum des 100” award - 12th annual award for one hundred entrepreneurs, politicians and personalities who build the French speaking part of Switzerland. In 2017 Ilia was named a “Thought Leader” by SC Media Reboot Awards.
Yuriy Ackermann
Yuriy is a Senior Security Certification Engineer from New Zealand, working at FIDO Alliance. He loves maths, crypto, poetry, tea and port, portwine and generally enjoys ports.
TICKETS
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and cyber security. Please note that spaces are limited and you MUST book your place and get a ticket to be admitted to the event by the building security.
Register to attend this event at EventBrite:
Thursday, 25th January 2018 (Central London)
OWASP London Chapter Meeting
This event was kindly sponsored and hosted by: Goodman Masson
VIdeo Recordings of talks presented at this event are available to watch on OWASP London YouTube Channel:
https://www.youtube.com/watch?v=mZ0KKOPK9oU&list=PLmfxTKOjvC_c4n9vrU3fG3K2XD03IaxvK
Location: Goodman Masson, 120 Aldersgate Street, London, EC1A 4JQ
Nearest Tube: Barbican (1-minute walk)
Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).
TALKS
- OWASP Introduction, Welcome and News - Sam Stepanyan
Welcome and a brief update on OWASP Projects & Conferences from the OWASP London Chapter Leader
- “How To Buy And Hack an ATM” - Leigh-Anne Galloway and Timur Yunusov (PDF)
In 1967 Barclays introduced the first cash dispenser to London. Some 50 years later contactless payments and online transactions are our go-to methods to pay for goods and services. As we head ever closer to a cashless society, how relevant are threats to ATM’s today? What are the risks and the rewards? If a security professional or bad guy wanted to buy an ATM for research purposes, would it even be possible? We’ll show you how you can buy your own ATM for a lot less money than you may have thought. In this talk we’ll discuss the challenges of acquiring, moving and storing an ATM and just how easy is it to hack an ATM once you have it.
- Lightning Talk: “Improving the Quality of Your Cyber Security Hires via Pre-Interview Challenges” - Dinis Cruz (PDF)
Recruiting Cyber Security/Application Security candidates these days is not an easy task. How do you ensure that the potential candidates are going to make a difference to your organisation, become a part of the productive team and most importantly - have the security knowledge, skills and experience you need? CVs aren’t always a good reflection of a person’s capabilities. They can be exaggerated, they don’t always show a person’s true potential. In this talk Dinis will share his experience of using the open-source Capture-The-Flag style pre-interview challenges to drastically improve the hiring process of cyber security candidates.
- “Securing the Web with TLS v1.3” - Andy Brodie (PDF)
Transport Layer Secure (TLS), a.k.a. Secure Sockets Layer (SSL), is probably the most important security protocol used on the Internet today. This talk will cover the basics of TLS 1.3: the goals of the protocol and how it achieves them, what features have been added, removed and changed as well as talking through some of the (successful) attacks on previous versions that resulted in the new proposed standard. All online banking and payment sites as well as most popular websites and web services use TLS today, and the uptake is increasing as consumers demand more protection against both hackers and state agencies trying to monitor or interfere with communications. The TLS v1.3 specification, managed by the Internet Engineering Task Force (IETF) marks the biggest change in the protocol since 1996.
SPEAKERS
Leigh-Anne Galloway
Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organisations on how best to secure their applications and infrastructure against modern threats. Leigh-Anne started her career leading investigations into payment card data breaches, where she discovered her passion for security advisory.
’'’Timur Yunusov ‘’’
Timur Yunusov is Senior Expert of Banking systems security and author of multiple research in the field of application security, including “Bruteforce of PHPSESSID,” rated in Top Ten Web Hacking This includes techniques of 2012 by WhiteHat Security and “XML Out-Of-Band” shown at the Black Hat EU 2013. Timur is a professional application security researcher who has previously spoken at Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, CanSecWest, Hack In Paris, ZeroNights and Positive Hack Days
Dinis Cruz
Dinis Cruz is the CISO of Photobox and a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications..
Andy Brodie
Andy Brodie is a Principal Design Engineer for Worldpay working on online e-Commerce payment gateways since 2015. Andy has been a software and solution architect for over 10 years working across both the Java Enterprise and .NET platforms and before that as developer and tester. Andy has worked at a mixture of start-ups, medium-sized companies as well as behemoths such as IBM
TICKETS
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and cyber security. Please note that spaces are limited and you MUST book your place and get a ticket to be admitted to the event by the building security.
Register to attend this event at EventBrite:
Thursday, 30th November 2017 (Central London) OWASP London Chapter Meeting feat. Jeff Williams
This extraordinary OWASP London Chapter meeting took place on Thursday, 30th November 2017 at 18:30
OWASP London Chapter is pleased to announce that Jeff Williams - the co-founder of OWASP Foundation, creator of OWASP Top 10 and many other OWASP projects has kindly agreed to present a talk during his visit to London.
Video recording of talks on YouTube: https://www.youtube.com/watch?v=RcbQVejcVEM&list=PLmfxTKOjvC_e0mfJIOqjy4W4cHmE4Lpgx
This event is kindly sponsored and hosted by Just Eat.
Location: Just Eat, Fleet Place House, 2 Fleet Place, London, EC4M 7RF - entrance opposite Starbucks front doors
Nearest Tubes: St. Pauls (7-minute walk), Farringdon (10 minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan
Welcome and a brief update on OWASP Projects & Conferences from the OWASP London Chapter Leader
- Can DevSecOps Prevent the Impending Software Apocalypse? - Jeff Williams (PDF)
When Marc Andreessen said, “software is eating the world,” he saw business literally reinvented as software. But as software is built faster, becomes more complex and interconnected, and handles more critical functions and data, it’s clear modern software has outstripped our ability to secure it. DevOps has produced stunning results for software speed and quality, but do they translate for security? In this talk, Jeff will present the “Three Ways of Security” – an interpretation of the DevOps classic, “The Phoenix Project” for security. You’ll learn how to get your security work flowing, how to create continuous security feedback, and how to create a culture of security experimentation and learning. Bring your hard questions – Jeff likes a “town hall” style meeting!
- Cookie Security - Myths and Misconceptions - David Johansson (PDF)
Cookies are an integral part of any web application and secure management of cookies is essential to web security. However, during my years as a security consultant I’ve often encountered various myths and misconceptions regarding cookie security from both developers as well as other security professionals. This talk will dive into the details of cookie security and highlight some of the lesser known facts about well-known cookie attributes.This talk will give you a solid understanding of the pitfalls affecting cookie security, the risks associated with these, and how you can leverage modern security specifications to enhance the protection of cookies in your web application.
Speakers:
Jeff Williams
Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
David Johansson
David Johansson has worked as a security consultant for several leading IT-security companies and has over 10 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as AppSec USA, InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Synopsys.
Tickets
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and cyber security. Please note that you MUST book your place to be admitted to the event by the building security.
Register to attend this event at EventBrite:
Thursday, 23rd November 2017 (Central London) OWASP London Chapter Meeting
This OWASP London Chapter meeting took place on Thursday, 23rd November 2017 at 18:30 (we start on time!)
This event is kindly sponsored and hosted by The Telegraph Media Group.
YouTube Video Recordings: https://www.youtube.com/playlist?list=PLmfxTKOjvC_c_1DSJXRFfrECfDqhY0cF9
Location: The Telegraph, 111 Buckingham Palace Road, London, SW1 0DT
Nearest Tube: Victoria (3 minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.
- “How To Hack The UK Online Tax System, I guess” - Thomas Shadwell (@zemnmez) (PDF)
HMRC has recently patched two serious security vulnerabilities in its online tax system that allowed hackers to access and steal sensitive financial information belonging to UK tax payers. This talk will cover details of the vulnerability chain as well as the challenging 57-day journey of trying to get them fixed.
- “SHA-3 vs the World” - David Wong (PDF)
Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve we’ll cover what hash functions are out there, what is being used, and what you should use. Extending hash functions, we’ll also discover STROBE, a symmetric protocol framework derived from SHA-3
Speakers:
’'’Thomas Shadwell ‘’’
Thomas Shadwell (aka @zemnmez) is a security researcher and application security engineer at Twitch. Aside from his most recent findings of serious vulnerabilities in the UK online tax system he is also known for reporting over 120 vulnerabilities in Steam, breaking Steam’s login encryption and discovering Cross-Site-Scripting (XSS) and remote code execution (RCE) vulnerabilities in the website of hit hacking drama, Mr Robot. At Twitch, Zemnmez also gives talks on attack, defence, and prevention of security issues; he has developed systems and processes to help avoid security incidents, including the security model for the recently released Twitch Extensions platform.
David Wong
David Wong is a Security Consultant at the Cryptography Services practice of NCC Group. He has been part of several publicly funded open source audits such as OpenSSL and Let’s Encrypt. He has conducted research in many domains in cryptography, publishing whitepapers and sharing results at various conferences including DEF CON and ToorCon as well as giving a recurrent cryptography course at Black Hat. He has contributed to standards like TLS 1.3 and the Noise Protocol Framework. He has found vulnerabilities in many systems including CVE-2016-3959 in the Go programming language and a bug in SHA-3’s derived KangarooTwelve reference implementation. Prior to NCC Group, David graduated from the University of Bordeaux with a Masters in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics.
Tickets
This event is free to attend for both members and non-members of OWASP. Please note that you MUST REGISTER to book your place and to be admitted into the building.
Register to attend this event at Eventbrite:
Thursday, 9th November 2017 (Central London) OWASP London CTF For Developers
OWASP London Chapter is pleased to announce the 2017 OWASP London CTF Tournament for Application Developers.
CTF (Capture The Flag) is a type of computer security competition. Contestants are presented with a set of challenges and puzzles which test their creativity, technical coding (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories and when solved, each yields a “flag” which is submitted to a real-time scoring service. The difficulty levels are from beginner to advanced. CTF tournaments are a great and fun way for software developers to learn a wide array of cyber security / application security skills in a safe and legal environment. Top scorers will win prizes kindly donated by the cyber security technology vendors. Most programming languages supported. IMPORTANT: Please bring your own LAPTOP and a charger for it to this event
This event is kindly sponsored and hosted by Just Eat
Location: JUST EAT, Fleet Place House, 2 Fleet Place, London EC4M 7RF (entrance opposite Starbucks front doors)
Nearest Tube: St. Paul’s (7 minute walk)
Doors Open at 6pm, the CTF starts at 6:30pm (we start on time).
CTF Ticket Booking
This event is free to attend for both members and non-members of OWASP and is open to any application developers interested in web application security. Please note that you MUST book your place to be admitted to the event by the building security.
Tickets at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-ctf-tickets-39405502920?aff=ws
Thursday, 28th September 2017 (Central London) OWASP London Chapter Meeting
Live Stream Recording of this event can be viewed on Facebook here:
https://www.facebook.com/OWASPLondon/videos/1009373345872622/?fref=mentions
The next OWASP London Chapter meeting will take place on Thursday 28th September 2017 at 18:30 (we start on time!)
This event is kindly sponsored and hosted by John Lewis Partnership.
Location: John Lewis Head Office, 171 Victoria Street, London, SW1E 5NN
Nearest Tube: Victoria (3 minute walk)
Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders
- Application Level Vulnerabilities in Containerized Applications - Benjy Portnoy (PDF)
Docker containers are transforming the way applications are developed and deployed. Closely tied to DevOps and Continuous Delivery, containers introduce both risks and opportunities to security management in Web applications. This talk will introduce the basic concepts of containers and micro services, how companies use them today, and how to support this technology while elevating the security posture of your application stacks. Various OWASP tools that leverage containers will also be presented.
- Hunting Security Bugs In Web Apps - Suleman Malik (PDF)
There are so many web applications that work in the background but it can be difficult to know about them. In this talk I’m going to show you some bug hunting techniques and how I exploited vulnerabilities in some major websites. I will cover some topics, which includes bypassing Content Security Policy (CSP), API endpoint vulnerability, PostMessage vulnerability, CSRF, XSS, Session/Authentication flaws and exploiting some other OWASP Top 10 vulnerabilities
Speakers:
Benjy Portnoy
Benjy is a seasoned cyber security professional with over 15 years experience in consulting, designing, and implementing strategic information security projects for organizations across EMEA. He is currently the director of DevSecOps at Aqua Security, helping enterprises streamline security into their DevOps processes to secure their containerized applications. Prior to joining Aqua Security, Benjy held senior security architect roles at CA, BlueCoat, and Symantec where he worked closely with CSO’s and security operations teams focusing on vulnerability management, datacenter security, and incident response. Benjy holds both CISA (Certified Information Systems Auditor) and CISSP (Certified Information Systems Security Professional) certifications and is currently completing his master’s degree in Information Security and Digital Forensics
Suleman Malik
Suleman Malik is an independent security researcher and author specialising in web application security, IOS and Android application security. He has reported many security issues under the industry practice of coordinated disclosure. Suleman is listed in more than 50 Halls of Fame including Google, Microsoft, Intel, Sony, LinkedIN, Blackberry, Apple, Oracle, Huawei, US Department of Defense and so on. He has been featured in top cyber security magazines including hakin9 & Pentest magazine and also has been declared as one of top ten highest paid security researchers in the world. HackerOne CEO also has acknowledged his work and invited him to visit the United States of America. Donald Freese, the director of FBi’s cyber crime unit (NCIJTF) has also endorsed his skills. Suleman is currently a full time student working toward his degree in computer forensics and security
RSVP
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.
RSVP at Eventbrite: https://www.eventbrite.com/e/owasp-london-chapter-meeting-thursday-28th-september-2017-630pm-tickets-33237487219?aff=ws
Thursday, 31st August 2017 (Central London) OWASP London CTF Challenge Development Working Session
Following the announcement at the 27th-July-2017 OWASP London Chapter Meeting we are pleased to announce the first OWASP London workshop/working session event.
The OWASP London Chapter will be running a working session to develop new challenges for the upcoming OWASP London Capture The Flag (CTF) tournaments.
Capture The Flag (CTF) tournaments have long been used to test hacking skills, but they can also serve as an effective and fun security training for developers.
This working session is kindly sponsored and hosted by Just Eat.
Location: Just Eat, Fleet Place House, 2 Fleet Place, London, EC4M 7RF
Nearest Tube: St. Pauls (6-minute walk), Farringdon (10 minute walk)
Time: Doors Open at 6pm, the workshop starts at 6:30pm.
Please note: there will be NO TALKS at this event !
We are looking for participants who are a sound mix of:
- security researchers
- penetration testers
- application security experts
- secure application development experts (in various programming languages)
- volunteers who want to write and maintain a set of CTF challenges for future events
This working session will be in the format of brain-storming, writing and peer-reviewing of the CTF challenges.
IMPORTANT: Please bring your own LAPTOP and a charger for it
Please note that if you are going to participate in this working session you will NOT be allowed to participate in the actual CTF tournament!
Free drinks/beer and pizza provided by the event sponsors - JUST EAT.
Participation is FREE, but the number of seats is strictly limited and reservation is required to attend.
Please book your place using EventBrite here:
Thursday, 27th July 2017 (Central London)
Live Stream Recording of this event can be viewed on Facebook here: https://www.facebook.com/OWASPLondon/videos/975849525891671/
This OWASP London Chapter meeting took place on Thursday, 27th July 2017 at 18:30
This event was kindly sponsored and hosted by Just Eat.
Location: Just Eat, Fleet Place House, 2 Fleet Place, London, EC4M 7RF
Nearest Tubes: St. Pauls (6-minute walk), Farringdon (10 minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders (PDF)
- So you thought you were safe using AngularJS? Think again! - Lewis Ardern (PDF)
AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. But while Angular adds much-needed features to the language, it also creates a handful of new security problems for developers to discover and work around. Lewis will walk you through an application that illustrates security issues discovered in real-world applications and will explain the problem with usable solutions.
- Lightning Talk: OWASP Summit 2017 Outcomes -
Dinis CruzSherif Mansour (https://www.slideshare.net/owaspsummit/owasp-summit-debrief-v10-jun-2017)
Dinis Sherif will introduce the numerous outcomes delivered during the OWASP Summit 2017 workshops and brain-storming sessions and will discuss the next steps
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity (or compatible) Web Application Firewall (WAF) that saw a new major release in November 2016. CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode.
Speakers:
Lewis Ardern
Lewis Ardern is a security consultant at Synopsys/Cigital, where he specializes in application security, red teaming, and network assessments. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen, which generates vulnerable virtual machines on the fly for security training purposes. Lewis is currently working toward his PhD in web security.
Christian Folini
Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally challenging. With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling. Christian is a frequent committer to the OWASP ModSecurity Core Rules project (he is also the author of the Second Edition of the ModSecurity Handbook), vice president of Swiss Cyber Experts (a public private partnership), program chair of the Swiss Cyberstorm conference and many other things.
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.
Sherif Mansour
Sherif Mansour has been working in the field of Information Security for the last 13 years, and is currently leading the Software Security Program at JP Morgan Chase and prior to that he was leading the Application Security Program at at Expedia, Inc. Sherif has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter.
RSVP
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.
RSVP at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-27th-july-2017-630pm-tickets-33237474180
Thursday, 18th May 2017 (Central London)
The video recordings of talks from this event are now live on YouTube: OWASP London Chapter May 2017 Meeting Playlist
This OWASP London Chapter meeting took place on Thursday, 18th May 2017 at 18:30
This event is kindly sponsored and hosted by Worldpay
Location: Worldpay, The Walbrook Building, 25 Walbrook , London EC4N 8AF
Nearest Tubes: Bank (take exit 8 towards Walbrook) and Cannon Street (2-minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders. Additionally Dinis Cruz will talk about OWASP Summit 2017 (PDF) (owaspsummit.org) (video)
Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker’s point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly,
- Lightning Talk 1: OWASP Top 10 2017 Changes - Dinis Cruz (https://www.slideshare.net/DinisCruz/owasp-top-10-2017-rc-comments-observations-and-ideas)
Dinis will update us on the latest OWASP Top 10 2017 Release Candidate, the proposed changes and the controversy surrounding the new A7.
- Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM - Apostolos Giannakidis (PDF) (video)
A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution.
- Lightning Talk 2: Security solutions for developers who have no time for security - Edwin Aldridge (video)
Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.
Speakers:
Dr. Grigorios Fragkos
Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce. He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.
Apostolos Giannakidis
Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.
Edwin Aldridge
Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming
RSVP
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.
RSVP at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-18th-may-2017-630pm-tickets-33237461141
Thursday, 30th March 2017 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 30th March 2017 at 18:30 (we start on time!)
This event is kindly sponsored and hosted by The Telegraph Media Group.
Location: The Telegraph, 111 Buckingham Palace Road, London, SW1W 0DT
Nearest Tube: Victoria (3 minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Talks:
- OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.
- Heroes vs Villains: Building an Application Security Program that Scales - Kevin Delaney (PDF) (video: https://www.youtube.com/watch?v=OS-6i1_eBNA)
Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations, and surprise feature requests. Although security teams try to follow the right application security practices, many applications are shipped with fragmented security. The most common denominator is the reliance on dynamic and static testing tools during the final stages of the lifecycle. In this session, learn about the benefits of building security during the requirements phase or the first stage of the software development lifecycle (SDLC).
- Lightning Talk: Bypassing CSRF Protections: A Double Defeat of the Double-Submit Cookie - David Johansson (PDF) (video: https://www.youtube.com/watch?v=2uvrGQEy8i4)
Double-Submit Cookie Pattern Protection against cross-site request forgeries (CSRF) is a popular option in stateless applications as it doesn’t require the server to store a token value between requests. Instead, the server will verify a token value stored in a cookie against a request parameter. Unfortunately, many popular implementations of this defense pattern can be defeated by attackers and this talk will discuss the misconceptions and pitfalls that may render this protection insufficient. We will look at how the CSRF protection in an AngularJS application using the popular Express.js middleware csurf on the server-side can be defeated. We will also show the options for configuring it securely.
- PostMessage Security in Chrome Extensions - Arseny Reutov (PDF) (video: https://www.youtube.com/watch?v=vWwobVQH6os)
PostMessage API is a known source of DOM XSS vulnerabilities on web sites. Browser extensions can use messaging too, and if an extension fails to handle incoming messages securely enough it may lead to a universal XSS. This talk will present an analysis of Chrome extensions that aimed at discovering vulnerabilities caused by insecure postMessage listeners in content scripts that are inserted by browser extensions into web pages. The research will demonstrate the examples of vulnerable Chrome extensions and explain the threats which they present to the end-users and how they can be mitigated.
Speakers:
Kevin Delaney
Kevin Delaney is an application security professional from Toronto, Canada. With diverse experience in software development, security, and enterprise IT, he takes personal pride in solving challenging security problems and helping businesses stay one step ahead of attackers.
David Johansson
David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).
Arseny Reutov
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Research Team and Application Security Tools Development Unit at Positive Technologies Ltd where he specializes in information security issues, penetration testing and the analysis of web applications and source code. He is also the author of various security research papers and the security blog raz0r.name. Arseny has participated in various bug bounty programs and acknowledged by well-known software vendors. He was a speaker at ZeroNights, CONFidence, PHDays and other conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.
Thursday, 26th January 2017 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 26th January 2017 at 18:30 (we start on time!)
This event was kindly sponsored and hosted by J.P. Morgan
Location: 6th Floor, JP Morgan, 60 Victoria Embankment, London, EC4Y 0JP
Nearest Tube: Blackfriars (2 minute walk) NOTE: JPMorgan Visitor Entrance is not at the above address, but around the corner at John Carpenter Street - please go there upon arrival.
Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)
Talks
- OWASP Introduction and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders
- Identities Exposed: How Design Flaws in Authentication Solutions May Compromise Your Privacy - David Johansson (PPTX) (video: https://www.youtube.com/watch?v=KmchjwkYAOw)
Substantial effort has been put into the design of secure solutions for authenticating users. However, the privacy of end users has rarely been given as much attention in these solutions. This often leads to design flaws that let the identities of end users be exposed to parties they not necessarily intended to disclose it to. This talk will present a set of privacy requirements for protecting end users during authentication and show some examples of solutions where the end user’s privacy can be compromised because one or more of these requirements are not met. For example, we will see how design flaws in TLS client certificate authentication can be abused by attackers to identify users in both passive and active network attacks, and look at how the upcoming TLS 1.3 standard addresses this.
- ’'’Lightning Talk - Introducing OWASP Summit 2017 - Francois Raynaud, Dinis Cruz ‘’’ (PDF)
The organisers of this big event will introduce the tracks and the workshops being planned
- OWASP-SAMM Maturity Models - Dinis Cruz (video: https://youtu.be/n6R_pJh3l0w?t=1748)
Dinis will talk us through the open source tool he has been building for some time - the tool to perform and visualise the assessments using the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) .
Speakers
David Johansson
David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.
Francois Raynaud
Francois is the founder of DevSecCon a conference dedicated to DevSecOps, the fusion of Devops and Secops. He is actively involved in security automation projects supporting continuous delivery and currently working as the enterprise security architect for a global retailer preceded by 17 years at ASOS, Betfair, Verizon Business, HSBC and RSA where his consulting engagement spanned across implementing CERT teams, incident response strategy, security architecture design, IT security management and penetration testing.
RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:
RSVP at Eventbrite:
Thursday, 24th November 2016 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 24th November 2016 at 18:30 (we start on time!)
The videos of talks from this event are available to watch on OWASP London YouTube channel: https://www.youtube.com/OWASPLondon
This event is kindly sponsored and hosted by Empiric.
Location: Empiric offices, 1 Old Jewry, London EC2R 8DN
Nearest Tube: Bank (2 minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)
Talks
- OWASP Introduction and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders
- PCI - The View from the Bridge - Jeremy King (PPTX) (video: https://www.youtube.com/watch?v=hapZzIKCP0I)
The International Director of the PCI Security Standards Council will take us on a journey around some wonderful sights of Europe using the images to reflect on and relate to the challenges and successes that we all face in protecting data. In his talk Jeremy will talk about the potential impact of Brexit on security and will discuss the latest changes in PCI DSS related to TLS, Multi-Factor Authentication and Secure Software Development Requirements.
- Lightning Talk 1 - OWASP ZAP Official Jenkins Plugin walkthrough & Demo - Goran Sarenkapa (PDF)
Goran will walk us through the steps to configure and use the new Official ZAP Plugin for Jenkins and will demo a test run with generated HTML reports.
- ’'’Lightning Talk 2 - myBBC Security Council - What It Means To You - Shane Kelly ‘’’ (PPTX)
Shane will talk about myBBC Security Council and how it demonstrates an organisational approach towards security that ensures the right decisions are made by the right people, and that developers can raise concerns knowing that they will be seen and escalated. It also frames InfoSec as an enabling force rather than a loophole
- JSON Hijacking - Gareth Heyes (PDF) (video: https://www.youtube.com/watch?v=NlLzI7U5L6s)
JSON hijacking is supposedly dead after the Array constructor and “Object.prototype” setter bugs have been patched or is it? This talk will show how it’s still possible to steal JSON data cross domain using various browser bugs. Gareth will take us on an epic journey of bug discovery and if we have time he may even bypass CSP for fun.
Speakers
Jeremy King
Jeremy is the International Director of the PCI Security Standards Council. He leads the PCI Council’s efforts in increasing adoption and awareness of the PCI Security Standards internationally. In this role, Mr. King works closely with the Council’s General Manager and representatives of its policy-setting executive committee from American Express, Discover, JCB International, MasterCard, and Visa, Inc. His chief responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SSC managed standards through all international markets, and driving education efforts and Council membership recruitment through active involvement in local and regional events, industry conferences, and meetings with key stakeholders. He also serves as a resource for Approved Scanning Vendors, Qualified Security Assessors, Internal Security Assessors, PCI Forensic Investigators, and related staff in supporting regional training, certification, and testing programs.
Gareth Heyes
Gareth works as a researcher at Portswigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed code. Gareth has been a speaker at many security conferences including the Microsoft BlueHat, Confidence Poland, and OWASP Application Security Conferences. Gareth also co-authored the “Web Application Obfuscation” book, which was named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews
Shane Kelly
Shane is a Senior Software Developer at The BBC, with a keen interest in security. Prior to the BBC he worked for the travel aggregator Travelfusion, and the anti-money laundering firm Fortent (formerly Searchspace).
Goran Sarenkapa
Goran is a core member of OWASP ZAP development team and a lead developer on OWASP ZAP Jenkins plugin project
RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:
RSVP at Eventbrite:
Monday, 28th November 2016 (Central London) OWASP London Hackathon Workshop and CTF
We are excited to announce the OWASP London Hackathon and CTF event which will be taking place on the evenings on 28th and 29th of November 2016 in Central London.
CTF (Capture The Flag) is a type of computer security competition. Contestants are presented with a set of challenges and puzzles which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories and when solved, each yields a “flag” which is submitted to a real-time scoring service. The difficulty levels are from beginner to advanced.
CTF tournaments are a great and fun way for software developers to learn a wide array of applications security skills in a safe and legal environment.
This event is kindly hosted and sponsored by: ThoughtWorks London
Location: ThoughtWorks, 76 Wardour Street, London, W1F 0UR
Nearest Tubes: Piccadilly Circus (6 minute walk), Leicester Square (6 minute walk), Tottenham Court Road (9 minute walk), Oxford Circus (9 minute walk)
Schedule
Evening 1: Monday 28th November 2016, 6pm doors open for 6:30pm kick-off 9:30pm finish
OWASP London Hackathon/Training Workshop (game-based)
Learn how to hack web applications (and how to code to protect them from common security threats) in a fun, interactive and safe environment. Most programming languages supported.
Evening 2: Tuesday 29th November 2016, 6pm doors for 6:30pm kick-off 10:00pm finish and prize-giving
OWASP London Capture The Flag (CTF) competition
Practice your hacking skills and compete against other participants and teams - solve challenges and puzzles, capture flags, score points and win prizes!
IMPORTANT: Please bring your own LAPTOP and a charger for it to both evenings.
Snacks and drinks will be provided throughout both evenings.
Top 3 scorers will win exciting prizes generously provided by security technology vendors.
Participation is FREE, but the number of seats is strictly limited and reservation is required to attend.
Please note that tickets to each evening should be booked separately.
You can choose to come to the Workshop only, CTF competition only or both events.
Spread the word within your organisations and get your developers to join.
Remember to bring your own laptop!
Booking link
Please note that there are two separate dates for this event and you should book tickets to both dates if you are planning to attend both the Hackathon workshop and the CTF competition:
https://www.eventbrite.co.uk/e/owasp-london-hackathon-and-ctf-tickets-29190020136
Thursday, 29th September 2016 (Central London)
This event was kindly sponsored and hosted by Skype (Microsoft)
The videos from this event are available to watch on OWASP London YouTube channel: https://www.youtube.com/channel/UC-CfoAEpdpkB_jYrydYrqSA
Location: Location: Skype (Microsoft) offices: 2 Waterhouse Square. 140 Holborn, London EC1N 2ST
Nearest Tube: Chancery Lane
Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)
Talks
- OWASP Introduction and News - Sam Stepanyan and Sherif Mansour (PDF)
Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders
- Lightning Talk 1 - Can Your Organisation Survive a Poli-Cyber Breach ? - Khaled Fattal (PDF)
With the rise of the new breed of cyber-terrorism perpetrated by extremist groups such as ISIS/Daesh, an alarming new dimension has been added to the threat landscape
- The Thermostat, The Hacker, and The Malware - Ken Munro and Andrew Tierney (PDF)
Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.
- Lightning Talk 2 - Telling The Time - Chris Anley (PDF)
Fairly regularly on consultancy jobs, you encounter a “random” number that is actually just the time, or a PRNG seeded with the time, or a hash of the time, etc.. If you had to guess the time on a remote server to a tolerance of a microsecond, how many requests would it take?
- Node.js Security - Still Unsafe At Most Speeds (PDF). Surrogate Dependencies in Node.JS (PDF) - Dinis Cruz
Abstract TBC
Speakers
Ken Munro
Ken Munro is a successful entrepreneur and is founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. He takes a key role in conducting investigations as well as encouraging team members to pursue their own research, the results of which are published on the company blog and in the wider media. Ken has a wealth of experience in penetration testing but it’s the systems and objects we come into contact with on an everyday basis that really pique his interest. This has seen him hack everything from hotel keycards, to cars and a range of Internet of Things (IoT) devices, from wearable tech to children’s toys (Cayla) and smart home control systems. Ken has been in the infosecurity business for 15 years.
Andrew Tierney
Andrew Tierney is a security consultant at Pen Test Partners. Prior to this he gained notoriety for his blog where he documented his findings regarding embedded systems such as routers, intruder alarms, thermostats, IP cameras, and DVRs. He expanded his skills into the realms of IoT web applications and mobile applications before joining the team. With a background in electronic engineering, Andrew employs some novel techniques for attacking embedded systems, such as simple and differential power analysis, firmware recovery, and glitching attacks. He has experience in both writing and disassembling a multiple of architectures, including ARM, MIPS, x86, AVR, and PIC, he is capable of reverse engineering a wide spectrum of devices from the smallest 8bit microcontoller up to the latest Android phones.
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.
Khaled Fattal
Khaled Fattal is the Group Chairman of The Multilingual Internet Group. He is also the President Advisory Committee Member on Internationalised Domain Names (IDN) at ICANN (Internet Corporation for Assigned Names and Numbers). Khaled has been a strong advocate of Internet multilingualism and is an active promoter of research, development, education & deployment projects which help to make the Internet more usable and inclusive. Recently Khaled has been actively researching the topics of cyber-terrorism from threat actors such as ISIS/Daesh and the rogue states
Chris Anley
Chris Anley is Chief Scientist at NCC Group. He is the author of several innovative papers on application security, including “Advanced SQL Injection”, “Hackproofing MySQL” and the paper introducing “Venetian” shellcode. He is the lead author of “The Shellcoder’s Handbook”, arguably the definitive book on discovering and exploiting arbitrary-code security vulnerabilities, and co-author of “The Database Hacker’s Handbook” and “SQL Server Security”. He has discovered security flaws in a wide variety of platforms including Microsoft Windows, Apple OSX, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP.
RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:
RSVP at Eventbrite:
Thursday, 28th July 2016 (Central London)
This event is kindly sponsored and hosted by Expedia Video recordings of talks from this event are now available here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_dxWb4Gy07cm5_seNCzZG3q
Location: Expedia.com Ltd, Block 1, Angel Square, London, EC1V 1NS. Nearest Tube: Angel (Northern Line)
Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)
Talks
- OWASP London Welcome and Intro - Sherif Mansour and Sam Stepanyan
Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders (PDF)
- CSP STS PKP ETC OMG WTF BBQ… - Scott Helme (PDF)
There are a huge number of technologies available to help us better secure our websites, but it can be difficult to know about all of them. In this talk I’m going to show you some of the headline acts in the HTTP Response Header category and just how easy it can be to quickly and effectively boost security and offer better protection to your visitors.
- ’ Achieving Secure Continuous Delivery - Lucian Corlan and Chris Rutter’ (PDF)
There’s a lot of discussion around achieving application security automation within the development pipeline. In this talk you will experience an approach to using Threadfix and its “Policies” feature to determine the security exposure of a release and using a tool called Donatello to output the result back into the continuous integration and delivery flows. Additionally, the speakers will be presenting some of their ideas for a second version of Donatello which will be taking a lot more static & dynamic attributes into account in the form of an Application Security Passport.
- ’ “Lightning Talk” - Jacks Tool Demo - Lewis Ardern’ (PDF)
Become a Source Code Hero With New Code Analysis Tool for Developers, Jacks.
Jacks is changing the way development teams approach the security dilemma, by giving developers the skills they need to own the security of their applications and to build safer apps from the start
Speakers
Scott Helme
Scott Helme is an internationally renowned speaker, security researcher, pen tester, consultant and blogger. Scott is also the founder of report-uri.io and securityheaders.io - free online tools which help thousands of organisations around the globe to deploy better security.
Lucian Corlan
Lucian is a Senior Application Security Solutions Manager at SagePay. Lucian holds a number of security certifications – MSc ITSec, MA Security Studies, CISSP, CSSLP (a), CISM, CISA, CEH, OSCP, SABSA Foundation and has previously worked for Betfair in the InfoSec/AppSec Manager and Acting Head of AppSec roles. Lucian has also led one of the Romanian OWASP Chapters and is still involved in OWASP. Before that he worked for several multi-national organisations in the banking (chip card security & app security) and telecom (infra & app security) sectors. If there’s any free time left…, he spends it meddling with astronomy (planetary & galactic), reading philosophy/crypto detective books and dissecting bits of geo-economy politics.
Chris Rutter
Chris is a software developer who has bought into the crazy idea that software security is a measure of quality, right up there with business functionality and performance. He enjoys perfecting ways to defend his applications from any and all kinds of malicious nasties and educating other developers on said nasties. He has spent the last few years easing PCI-level security practices into an agile, 1 week sprint, continuous delivery environment using a mixture of education, automation and teamwork.
Lewis Ardern
Lewis Ardern is a Consultant at Cigital, Inc. Lewis is Ph.D. candidate at Leeds Beckett researching into Web Security, with a focus on client-side security. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen (https://github.com/SecGen/SecGen) which generates vulnerable virtual machines on the fly for security training purposes.
RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:
RSVP at Eventbrite:
Thursday, 28th April 2016 (Central London)
This event is kindly sponsored and hosted by Skype (Microsoft) who have been hosting OWASP London Chapter Meetings since January 2014.
Location: Skype(Microsoft), 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST. Nearest Tube: Chancery Lane
Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)
Talks
-
OWASP London Welcome Intro - Sherif Mansour and Sam Stepanyan
Welcome and Chapter Update from the OWASP London Chapter Leaders (PDF)
Threat Intelligence (“Lightning” Talk) - Sherif Mansour
*:Introduction into Threat Intelligence (PDF)
-
Drones and their Flaws - Aatif Khan (PDF)
Drones or Unmanned Aerial Vehicles (UAVs), have undoubtedly attained a prominent position in contemporary and future defense technologies. It has been increasingly used for Surveillance, Reconnaissance and have been planned to stop crude oil theft, to deliver online shopping products and even pizza. It remains important to understand their security and implication. This talk will explore different kind of drones and their associated vulnerabilities hence giving chance to audience to understand their flaws and work for anti-hacking solutions.
-
How (NOT) to Code Your Ransomware - Liviu Itoafa (PDF)
The presentation will start with a history of ransomware from simple lockers to recent trends. Although currently ransomware follows good secure development practices, this is not always the case. We’ll see in what circumstances we can get our files back and how. This will make you think twice before paying the ransom and, for some samples, think twice before clicking that tempting link for ‘summer photos’.
Speakers
-
Aatif Khan
Aatif Khan is cyber security researcher who comes with over a decade of experience in information security. Apart from consulting on application security, he has also delivered infosec training’s to corporate, defense personnel and cyber crime police officials. He has previously presented talk at OWASP Singapore, Malaysia, India and Dubai. He has also authored papers on Advance Persistence Threats, Hacking the Drones, Web Security 2.0, Android Application Penetration Testing.
-
Liviu Itoafa
Liviu Itoafa is a security researcher with a strong interest in malware analysis and investigating security incidents. He has been working in the field of Information Security for more than 7 years on developing (secure) software, application pentesting and reverse engineering. He became a coding enthusiast long time ago, when he found out how to do game cheats and many other interesting stuff with the C programming language and a little Assembly.Now, as a security researcher at Kaspersky Labs, he is having fun investigating malware samples. He also runs malware analysis and reverse engineering workshops.
-
Sherif Mansour
Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter
RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building by the Microsoft(Skype) security reception.
RSVP is now open at Eventbrite:
Thursday, 25th February 2016 (Central London)
Video recordings of the talks from this event are now available on OWASPLondon YouTube channel
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Time: 18:30 to 20:30 (BST) (We start on time)
Talks
- OWASP London Chapter announcement - Justin Clark - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
-
The Challenges of Web Application Security in A Contious Delivery World - Sherif Mansour - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
Imagine a world where a developer can have her/his code pushed into production a few minutes after its checked in. How do you engrain web application security in such a development pipeline? How do you keep track of the security issues? In this talk we’ll discuss some of the security challenges for this paradigm shift and how OWASP can help development teams navigate some of these challenges.
-
New Era of Software with modern Application Security - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.
Speakers
-
Justin Clarke
Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of “SQL Injection Attacks and Defenses” - published May 2009 by Syngress, co-author of “Network Security Tools” - published April 2005 by O’Reilly, contributor to “Network Security Assessment, 2nd Edition”, as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Justin is the outgoing Chapter leader of the OWASP London chapter.
-
Sherif Mansour
Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter
-
Dinis Cruz
Dinis is creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to ‘Automate Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.
RSVP
RSVP is now open at Eventbrite - https://www.eventbrite.co.uk/e/owasp-london-event-february-chapter-meeting-thursday-25th-february-2016-630pm-830pm-tickets-21498714233
Thursday, June 11th 2015 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Time: 18:30 to 20:30 (BST) (We start on time)
Talks
-
OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella
How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information.
-
Topic To be confirmed - Justin Clarke
Exciting OWASP topic to be confirmed!
Speakers
-
Christian Martorella
Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security
-
Justin Clarke
Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of “SQL Injection Attacks and Defenses” - published May 2009 by Syngress, co-author of “Network Security Tools” - published April 2005 by O’Reilly, contributor to “Network Security Assessment, 2nd Edition”, as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.
RSVP
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/
Thursday, December 4th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Speakers: Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci
-
Offensive OSINT - Christian Martorella and Zigor Zumalde
Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks
-
Round-up - Colin Watson
OWASP news and Christmas gift (presentation)
-
OWASP Testing Guide v4 - Matteo Meucci
The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.
Thursday, September 18th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Speakers: John Smith, Joe Pelietier, Colin Watson
-
Global Application Security Survey & Benchmarking - John Smith
This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.
-
Anatomy of a Data Breach - Joe Pelletier
The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.
-
OWASP Roundup - Colin Watson
Information on some recent project releases, conference recordings and AppSec EU 2015. (PPT)
Thursday, May 15th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Speakers: Hacker Fantastic, Colin Watson
-
Heartbleed Teardown - Hacker Fantastic
An analysis of CVE-2014-0160 (“heartbleed”) covering detailed assessment of the vulnerability since it’s introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.
-
AppSensor 2.0 - Colin Watson (PDF)
The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project’s contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.
Thursday, March 20th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Speakers: Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou
-
Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos
Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.
-
OWASP WebSpa - Yiannis Pavlosoglou (PPTX)
The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as “a form of host-to-host communication in which information flows across closed ports” then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.
Thursday, January 16th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST
Speakers: Justin Clarke, Marco Morana and Tobias Gondrom
-
Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke
Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier…but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).
-
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom
Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.
Thursday, December 12th 2013 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA
Speakers: Ofer Maor and Colin Watson
-
IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor
Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…
-
OWASP Cornucopia - Colin Watson
Microsoft’s Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. “OWASP Cornucopia - Ecommerce Web Application Edition” will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.
Thursday, October 24th 2013 (Central London)
Location: Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX
Speakers: Dinis Cruz and Justin Clarke
-
Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz
This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor’s capabilities.
-
OWASP Mobile Top 10 - Justin Clarke
The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.
Monday, June 3rd 2013 (London EUTour2013 One Day Conference)
Location: Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY
For full details, including slides and videos of sessions, go to the main EUTour2013 Page and click through to the London event.
Thursday, November 8th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA
Speakers: Petko Petkov and Marco Morana
-
A Short History of The JavaScript Security Arsenal - Petko D. Petkov
In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.
-
The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana (PPTX)
The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.
Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members)
Location: Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB
Time: 10:00am - 4:30pm
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK’s traditional information security membership base, and OWASP’s web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP’s top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day’s talks are over, please join us for a free tour of the famous WWII codebreaking facility!
Thursday, March 29th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA
Speakers: Jim Manico and Manish Saindane
-
Top 10 Web Defences - Jim Manico (PPTX)
We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
-
IronWASP - Manish Saindane (PPTX)
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
Speakers: Viet Pham and Tobias Gondrom
- Implementing cryptography: good theory vs. bad practice - Viet Pham (PDF)
Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.
- Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom (PDF)
“In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google’s web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.”
Thursday, February 2nd 2012 ,18:30-21:00
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
Speakers: Sarah Baso, Dinis Cruz, Dennis Groves
-
Security as Pollution (lessons learned) - Dinis Cruz
Based on David Rice’s “Upon the Threshold of Opportunity” presentation at the OWASP AppSec USA 2010
-
Making Security Invisible by Becoming the Developer’s Best Friends - Dinis Cruz
Based on Dinis’ presentation at OWASP AppSec Brazil 2011
-
How to get a job in AppSec by Hacking and fixing TeamMentor - Dinis Cruz and Dennis Groves
This is for students and developers who want to get into the application security space and need to have/show real-world experience.
-
What’s Happening on OWASP Today - Sarah Baso
This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP’s employees currently focused on logistics, community and empowerment
Thursday, September 8th 2011
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
Speaker: Daniel Cuthbert (deck)
Title: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.
Friday, June 3rd 2011
Location: Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX
-
Wordpress Security - Steve Lord (PDF)
Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it’s flexibility and ease of use. In this talk, Mandalorian’s Steve Lord discusses common Wordpress security snafus and how to avoid them.
Thursday, April 14th 2011
Location: Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH
-
Wordpress Security - Steve Lord (PDF)
Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it’s flexibility and ease of use. In this talk, Mandalorian’s Steve Lord discusses common Wordpress security snafus and how to avoid them.
-
Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit
Discussion of what came out of the recent OWASP Summit, “OWASP 4.0” and what is changing in the OWASP world now and in the near future
Thursday, February 17th 2011
Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA
A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.
Archived Events
For events before 2011, see Archived OWASP London Events
Other Activities
- February 2010 - Personal Information Online COP
The Leeds UK, London and Scotland Chapters joint response to the UK Information Commissioner’s Office draft Personal Information Online Code of Practice.
- March 2009 - Entry for Nominet Best Practice Challenge 2009
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award PDF) in the Nominet Best Practice Challenge 2009.
- 16th October 2008 - COI Browser Standards for Public Websites
The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13) (PDF).