Turkey

Chapter Brochure
Here you can view a brochure explaining in Turkish the action highlights of OWASP/Türkiye during the last one and a half year.

Local News
We have a meeting on Sunday, 08 March in Istanbul.

Projects/Tools
Here are some of the projects produced by OWASP/Türkiye;


 * Jarvinen by Gökhan Alkan & Yusuf Çeri & Bedirhan Urgun

A simple yet effective web based audit log monitoring service for Modsecurity v2. It consists of two basic parts; a (bash) shell script that parses serial logs into the mysql database and a php web application.


 * CAMMP by Gökhan Alkan

Aims to provide (bash) shell scripts in order to automatize the source code installations of apache (php and modsecurity) and mysql under chroot (for RedHat based systems for now).


 * SecureImage by Mesut Timur & Bedirhan Urgun & Kerem Küsmezer

A Java,PHP and .NET based image validator that can be used for validating image files on upload systems (such as photo galleries,forums,etc ..) against the threats for XSS issues with IE and LFI attacks. Individual project pages; PSecureImage for PHP, JSecureImage for Java and NSecureImage for .NET


 * SecureTomcat by Bedirhan Urgun & Deniz Çevik & Gökhan Alkan

A collection of three components; an audit documentation in Turkish, a basic remote vulnerability scanner and an audit shell script fully aligned with the audit documentation. All for auditing and testing Apache Tomcat partial J2EE container.


 * WeBekci by Bünyamin Demir

WeBekci is a graphical user end for ModSecurity 2.x web application firewall.


 * Web Security Turkish Translation Project by great volunteers & Bedirhan Urgun

Turkish translations of OWASP guides and other web application security related documents over 500 pages and counting
 * WIVET by Bedirhan Urgun

A benchmarking project that aims to statistically analyze web link extractors. It provides a good sum of input vectors to any extractor and presents the results. Check out the live app here.


 * SqliBench by Mesut Timur & Bedirhan Urgun

SQLiBENCH is a benchmarking project of automatic sql injectors related to dumping databases. Check out the live app here. The project is sponsored by OWASP SoC 08.


 * MSALParser by Bedirhan Urgun

MSALParser (pronounced \mi-säl\) implements necessary parsers and model objects to represent a ModSecurity Single Audit Log, hence the name MSAL. MSALParser is a PHP RPC end that will get mlogc's calls and parses them into objects and eventually write to a persistent data store.


 * ApacheLive by Bedirhan Urgun

ApacheLive (aka Haydar) project consists of a python script which was aimed to stress Apache web servers (httpd) using Keep-Alive parameters.


 * AntiCsurf by Mesut Timur

For most of the languages and frameworks, developers have to implement their own functions to defend against CSRF. AntiCsrf is a basic and light library for defending against CSRF for PHP applications.

Translations
Çeviri projesine yardım etmek isteyen arkadaşlar, lütfen [mailto:bunyamindemir@gmail.com bunyamin] veya [mailto:urgunb@hotmail.com bedirhan] (proje lideri) ile iletişime geçiniz. Şu ana kadar yayınlanan çevirilere buradan ulaşabilirsiniz. You can find Turkish translations of OWASP and other web security related documents here.

Fifth OWASP-Turkey Meeting in March 08, 2009
A regular meeting on web/software security related issues&techniques&news. The meeting will take place in Istanbul, Maltepe, beween 13:00-15:00, on 08th of March, Sunday. Here's the map for the meeting place If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

Artifacts - Web Security Days Kocaeli December 2008
With over 50 attendees we had our 4th Web Security Days in Kocaeli University at Umuttepe Campus.

Presentations & SlideShows & Photos:
 * Giris - Bedirhan Urgun
 * WGT/OWASPTR - Bünyamin Demir
 * WWW Introduction - Uğur Yıldız
 * CSRF - Yusuf Çeri
 * Graphic Attacks - Mesut Timur
 * Secure Web Production Environments - Gökhan Alkan
 * Pictures - Bedirhan & Bünyamin
 * OWASP Top 10 Slide Show - Bedirhan Urgun

Next Event - 4th Web Security Days Kocaeli - December 23 (Turkey 2008)
This event will be the fourth of "Web Security Days" and will take place on 23rd of December 2008 in Kocaeli. The agenda of the event is here.

Artifacts - Fourth OWASP-Turkey Meeting in October 18, 2008
Here's the agenda of the meeting. We also had two small discussion and presentation of a simple demo overview of recent clickjacking vulnerability and sqlibench SoC 2008 OWASP project. Thanks everyone for participating.

Moreover, all of the OWASP sent books (~30)/pens(~15) were distributed freely!

For the photos take a look at here.

Fourth OWASP-Turkey Meeting in October 18, 2008
A catch up meeting on web/software security related issues&techniques&news. Moreover, OWASP sent goodies (to the most active chapters) will be distributed (This includes 27 OWASP books and 19 pens). It will take place in Istanbul, İstiklal Cad.Emir Nevruz Sok. No: 1/11 Galatasaray Beyoğlu beween 14:00-16:00, on 18th of October. If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

Artifacts - June 21 2008 OWASP-TR Talk in "Free Software Conference"
Here is the presentation given by Mesut Timur and keynote submitted at "Free Software Conference" in TOBB University of Economics and Technology; OWASP-TR Presentation and Web Security and Free Software Keynote (in Turkish) respectively.

Talk in Free Software Conference in Ankara
We'll be giving a talk in "Free Software Conference" about OWASP and OWASP/Turkey in TOBB University of Economics and Technology on 21st (Saturday) of June 2008. The talk will include an introduction to OWASP, OWASP/Turkey, as well as web/application security projects achieved in Turkey.

The Day will start at 09:30 and our talk, which will be presented by Mesut Timur, will be between 15.00-15.30. You can skim the programme here.

Artifacts - April 19 2008 OWASP-TR Talk in Yildiz Technical University
Here are the presentations given by Bünyamin Demir and Yusuf Çeri at "Open Source Code Day" in Yildiz Technical University, OWASP-TR Presentation and SqlDemo Presentation respectively. We'd like to thank YTÜ Bilişim Kulubü for inviting us.

And never the least, here are the pictures taken during the day.

Talk in Open Source Code Day in Yildiz Technical University
We'll be giving a talk in "Open Source Code Day" about OWASP and OWASP/Turkey in Yildiz Technical University on 19th of April 2008. The talk will include an introduction to OWASP, OWASP/Turkey, web/application security community in Turkey, the 1st OWASP Day video by Jeff and a live application insecurity demo.

The Day will start at 09:30 and our talk will be the last one before the noon.

Artifacts - March 09 2008 Meeting
It was a nice Sunday in Istanbul and we had 16 people talking about SPoC 08, April OWASP Week and web application security in general. Here are the pictures taken during the meeting.

March 09 Meeting
A casual meeting for anyone interested in web/software security. It will take place in Istanbul, Kadikoy at 14:30, on 09 March. To chat and enjoy the Bosphorus!

Artifacts - Web Security Days Ankara & İzmir November 2007
Through a foggy, and therefore a hard flight, we've managed to realize Web Security Days 2 & 3 in Ankara and Izmir, respectively. Having a total of ~130 attendees (most of them in Izmir), we hope WSD to be traditional and become more qualitysome.

Presentations & Code & Photos:
 * Giris - Bedirhan Urgun
 * WGT Giris - Bünyamin Demir
 * ULAK-CSIRT Giris - Enis Karaarslan
 * Yazılım Geliştirme Sürecinde Güvenlik Testleri - Burak Dayıoğlu
 * Kurumsal Web Güvenliği Yapısı - Enis Karaarslan
 * Uygulamalarda Katmanlı Güvenlik Anlayışı - Tahsin Türköz
 * PHP ve Güvenli Kodlama - Oğuzhan Yalçın
 * Perl'de Guvenlik Modulu - Bünyamin Demir
 * Perl'de Guvenlik Modulu - Kod - Bünyamin Demir
 * Web 2.0 Savunma Dili: Javascript - Bedirhan Urgun
 * Photos - Bedirhan & Bünyamin

Next Event - 3rd Web Security Days İzmir - November 26 (Turkey 2007)
This event will be the third of "Web Security Days" and will take place on 26th of November 2007 in İzmir. The agenda of the event is here.

Next Event - 2nd Web Security Days Ankara - November 24 (Turkey 2007)
This event will be the second of "Web Security Days" and will take place on 24th of November 2007 in Ankara. The agenda of the event is here.

Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)
Presentations:


 * Turkish Subtitle for Jeff's OWASP Day Intro movie (delete .ppt extension)
 * OWASP2007_KamudaPrivacy.ppt‎
 * Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt

Discussion Answers:

Q1. What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1. During the meeting an effort was made to clarify the meaning of privacy; - what are the key items that builds up to "privacy"? - are we talking about the privacy of real people or should we also include the privacy of legal entities? - is there really a solid line (or even a vague line) between confidentiality and privacy? We defined privacy as confidentiality of the data; be it of a real person or a legal entity. But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions; The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2. Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2. Most of the participants agreed that a law is a necessity. But, maybe, more important thing is to raise the awareness of the customers. Here we also had a discussion on the current status of the law on privacy? There are mainly three documents on privacy in Turkish law; * a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer) * a draft law on privacy from Department of Justice, which is still in the process of approval * a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the   European Parliament and of the Council" on the data retention. This law, however, still needs a few directives, which are about to be published.

Q3. Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3. As a first step there should be an "agreement" presented to the user by the application side. This wouldn't be enough so there should be regular inspections (a third eye) on these services. About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is a domain serving, founded by the victims of online banking crimes in Turkey.

Q4. What should OWASP be focusing on?

A4. As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5. What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5. Some suggestions; . Printed booklets of Guide and Testing Guide. . OWASP CD with shiny labels . I'm afraid to say but... t-shirts

Q6. Should OWASP organize such 'OWASP Weeks' every quarter?

A6. OWASP should organize these events every 6 months or so :)

Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)
As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event (Web Security Days) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:


 * 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR


 * 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ Chief Researcher CC Lab-UEKAE TUBITAK


 * 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER Chief Researcher PRO-G


 * 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

Last Event - 1st Web Security Days - July 14 (Turkey 2007)
First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

For details...

Last Meetings
Sunday 6 May 2007 Time: 11:15-12:30

Address to the meeting are:

Middle East Technical University Ankara-Turkey

Presentation

Web Application Security with ModSecurity and OWASP