London

Chapter Sponsors
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:

Meeting Sponsors
The following is the list of organisations who have generously provided us with space for London chapter meetings:

Thursday, May 15th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Talks

 * Application Security with Hardware Roots of Trust - Rick Doten
 * Hardware-based security is an unfortunately seldom-leveraged solution to protect our enterprises by bringing a root of trust for system, user identity, and encryption of data. By insuring that only authorised users authenticate using cryptological certificates stored in secure hardware chips of PCs, tablets, and phones, we can also provide more granular application control of data to increase privacy.
 * The core of trusted computing already exists in most PC systems today. Many PC’s include a dormant Trusted Platform Module (TPM) that uses a standard from the Trusted Computing Group (TCG). The TPM can be activated to encrypt hard drives on the hardware level, provide controlled network access, and deliver measurements on boot process for unauthorised changes.  With an abstraction layer called the Trusted Software Stack (TSS) specification, we can leverage this strong authentication into applications.  We can also use this credential for data encryption that can’t be man-in-the-middle attacked like SSL, while giving the opportunity to digitally sign data and documents.  Further, we can utilize hardware measurements to provide a level of system trust, which we could use to dynamically alter application access and functionality based on that trust level.
 * This presentation will provide an overview of these current and future application security capabilities, and how developers will soon be able to leverage hardware roots of trust to make more secure applications.


 * AppSensor 2.0 - Colin Watson
 * Abstract to come.

Speakers

 * Rick Doten
 * Rick Doten is CISO for Digital Management Inc (DMI). He has over 23 years of experience in the IT industry, the last 16 focused on cyber security   Before DMI, Rick was a Risk Management Consultant at Gartner.  He was Chief Scientist at the Lockheed Martin Center for Cyber Security Innovation (CCSI). Rick was Managing Principal for Verizon Business’s East Coast Professional Security Services practice. Earlier his career, he was an “Ethical Hacker” at Global Integrity.  Rick has been quoted in dozens of security articles such as Dark Reading, SC Magazine, Infosecurity Professional magazine, and Mashable, and has appeared on CNN, TechTV, and the National Insider as a cyber security expert.   Rick also holds a Patent for Wireless Intrusion Detection technology.


 * Colin Watson
 * Bio to come.

RSVP
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/

Future Events
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:

Thursday, July 17th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Thursday, September 18th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Thursday, November 20th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Thursday, March 20th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou


 * Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos
 * Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.


 * OWASP WebSpa - Yiannis Pavlosoglou ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])
 * The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.

Thursday, January 16th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Justin Clarke, Marco Morana and Tobias Gondrom


 * Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke
 * Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path.  When we initially decided to implement CSP, the BETA version of our website was already live.  Like many sites, our platform grew from something we initially started as a pet project.  Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.   We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime.  Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed.  We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime.  Needless to say we were surprised by what was reported, and we’ll share the results.   Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).


 * 2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom
 * Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Thursday, December 12th 2013 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Ofer Maor and Colin Watson


 * IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor
 * Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...


 * OWASP Cornucopia - Colin Watson
 * Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.

Thursday, October 24th 2013 (Central London)
Location: Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX

Speakers: Dinis Cruz and Justin Clarke


 * Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz
 * This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.


 * OWASP Mobile Top 10 - Justin Clarke
 * The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.

Monday, June 3rd 2013 (London EUTour2013 One Day Conference)
Location: Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY

For full details, including slides and videos of sessions, go to the main EUTour2013 Page and click through to the London event.

Thursday, November 8th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Petko Petkov and Marco Morana


 * A Short History of The JavaScript Security Arsenal - Petko D. Petkov
 * In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
 * This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.


 * The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])
 * The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.

Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members)
Location: Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB

Time: 10:00am - 4:30pm

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

Thursday, March 29th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Jim Manico and Manish Saindane


 * Top 10 Web Defences - Jim Manico ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])
 * We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
 * IronWASP - Manish Saindane ([[Media:IronWASP.pptx|PPTX]])
 * IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Viet Pham and Tobias Gondrom


 * ''Implementing cryptography: good theory vs. bad practice - Viet Pham ([PDF])
 * Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.


 * ''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([PDF])
 * "In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Thursday, February 2nd 2012 ,18:30-21:00
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Sarah Baso, Dinis Cruz, Dennis Groves


 * Security as Pollution (lessons learned) - Dinis Cruz
 * Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010


 * Making Security Invisible by Becoming the Developer's Best Friends - Dinis Cruz
 * Based on Dinis' presentation at OWASP AppSec Brazil 2011


 * How to get a job in AppSec by Hacking and fixing TeamMentor - Dinis Cruz and Dennis Groves
 * This is for students and developers who want to get into the application security space and need to have/show real-world experience.


 * What's Happening on OWASP Today - Sarah Baso
 * This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

Thursday, September 8th 2011
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speaker: Daniel Cuthbert (deck)

Title: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.

Friday, June 3rd 2011
Location: Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Thursday, April 14th 2011
Location: Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.


 * Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit
 * Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

Thursday, February 17th 2011
Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.

Archived Events
For events before 2011, see Archived OWASP London Events

Other Activities
The Leeds UK, London and Scotland Chapters joint response to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.
 * February 2010 - Personal Information Online COP

Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.
 * March 2009 - Entry for Nominet Best Practice Challenge 2009


 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).