Scotland

Local News
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).

You can also now follow us on Twitter (@OWASPScotland).

Upcoming Events
Signup to the chapter mailing list to be informed of upcoming events.

Wednesday, 14 March 2018
Time: 18:00 - 20:00

Location: PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX

We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.

We are still confirming speakers so please save the date and await further information in the near future.

If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.

For attending this event you will be able to claim 2 CPE points.

Website Discovery & Managing the Shadow Estate

Speaker: James Penny

There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.

A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.

This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.

Analyst, Engineer or Consultant?

Speaker:Harry McLaren

A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.

Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk

Wednesday, 4 October 2017
Time: 18:00

Location: Secureworks,

1 Tanfield,

Edinburgh,

EH3 5DA

To attend, please register here for the event https://owasp-scotland-oct-2017.eventbrite.co.uk. Places are limited, so please only register if you will definitely be attending.

* Please note that if your name is not on the list, you will be unlikely to enter the venue.

Revocation is broken, here's how we're fixing it

Speaker: Scott Helme

The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.

Thursday, 31 August 2017
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space.

We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.

Time: 18:30

Location:  MF2 on the 4th floor,

Informatics Forum,

10 CrichtonStreet,

Edinburgh,

EH8 9AB

Deconstructing WannaCry
Speaker: James Slaughter

- Who, What, Where, Why and How.

-  Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.

Driving Remediation in Large Organisations
Speaker: Andrew Scott

Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.

Thursday, 18 May 2017
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.

Time: 18:30

Location: Ground floor main lecture room,

Informatics Forum,

10 CrichtonStreet,

Edinburgh,

EH8 9AB

Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was.
Speaker: Boglarka Ronto

The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).

The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.

This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).

TLS Demystified
Speaker: Sean Wright

TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.

Friday, 3 March 2017
Virtual event kicking off the year for the Scotland chapter.

Time: 12:00

The following talks will be given:

Penetration testing: a beginners paradise.
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.

CSRF - Imitation is The Best Form of Flattery
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.

Sponsors
The OWASP Scotland chapter now has a sponsor which is Sopra Group