Turkey

Local News
Ceviri projesine yardim etmek isteyen arkadaslar lutfen [mailto:bunyamindemir@gmail.com iletisime] geciniz.

Sponsors
http://www.owasp.org/images/a/a9/Turkey_Chapter_Sponsor1_Pro-G.gif

Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)
Presentations:


 * Turkish Subtitle for Jeff's OWASP Day Intro movie (delete .ppt extension)
 * OWASP2007_KamudaPrivacy.ppt‎
 * Guvenli_Web_Uygulamalarinin_Gelistirilmesi2.ppt

Discussion Answers:

Q1. What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1. During the meeting an effort was made to clarify the meaning of privacy; - what are the key items that builds up to "privacy"? - are we talking about the privacy of real people or should we also include the privacy of legal entities? - is there really a solid line (or even a vague line) between confidentiality and privacy? We defined privacy as confidentiality of the data; be it of a real person or a legal entity. But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions; The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2. Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2. Most of the participants agreed that a law is a necessity. But, maybe, more important thing is to raise the awareness of the customers. Here we also had a discussion on the current status of the law on privacy? There are mainly three documents on privacy in Turkish law; * a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer) * a draft law on privacy from Department of Justice, which is still in the process of approval * a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the   European Parliament and of the Council" on the data retention. This law, however, still needs a few directives, which are about to be published.

Q3. Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3. As a first step there should be an "agreement" presented to the user by the application side. This wouldn't be enough so there should be regular inspections (a third eye) on these services. About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is a domain serving, founded by the victims of online banking crimes in Turkey.

Q4. What should OWASP be focusing on?

A4. As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5. What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5. Some suggestions; . Printed booklets of Guide and Testing Guide. . OWASP CD with shiny labels . I'm afraid to say but... t-shirts

Q6. Should OWASP organize such 'OWASP Weeks' every quarter?

A6. OWASP should organize these events every 6 months or so :)

Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)
As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event (Web Security Days) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:


 * 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR


 * 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ Chief Researcher CC Lab-UEKAE TUBITAK


 * 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER Chief Researcher PRO-G


 * 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

Last Event - 1st Web Security Days - July 14 (Turkey 2007)
First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

For details...

Last Meetings
Sunday 6 May 2007 Time: 11:15-12:30

Address to the meeting are:

Middle East Technical University Ankara-Turkey

Presentation

Web Application Security with ModSecurity and OWASP