Singapore

= Welcome to OWASP Singapore Chapter = Welcome to the Singapore chapter homepage. The chapter leader is [mailto:ocwong@owasp.org Wong Onn Chee].

Click here to join the local chapter mailing list.

Participation
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership
Donate to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?

= Upcoming Meetup = May 2018 Meetup: Introduction to CVSS

Date: 21 May 2018 730pm to 900pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

The "Common Vulnerability Scoring System" (CVSSv3) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

2018
Apr 2018 Meetup: DevSecOps In Practice

Date: 18 April 2018 730pm to 900pm (changed from 17 April)

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Software development is pressed for faster and faster release cycles with acceptable quality, budget and security. As movements like CI, CD and Devops aim to cut down on release cycles, it's security's job to help control the risk. The risk landscape is complex as modern development practices increasingly consume more and more third party code. Traditional methods do not cut it anymore - it's time for DevSecOps. This session gives an overview of how companies have implemented DevSecOps practices in their own delivery pipelines and how this can help increase developer awareness of risks affecting them. We'll walk an example CICD Pipeline and explore how security has been embedded as a part of it, how the movement is shaping up and how standards are starting to follow suite.

Speaker: Cameron Townsend

Cameron Townshend Bsc, MSysDev, MCP CP Snr, MCSD - has extensive experience building large mission critical applications. Initial project lead on NSW Biosecurity Information System. Developed the WeatherChannel.com.au website. This site won 2010 Kentico site of the year for Integration and 2011 Astra award for Most Outstanding Use of Technology. He is both a hands-on developer and a skilled communicator and leader of project teams.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jan 2018 Meetup - 2 topics

Date: 25 January 2018 730 pm to 900 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore Topic A: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP) Application attacks continue to be the #1 source of data breaches; why after decades of efforts and billion dollars security investments it is still the #1 source of data breaches?

What are the discrepancies and inadequacies in the current security postures and AppSec technologies?

Limited context and visibility of the application under test or under protection produces inaccurate and erroneous results which dramatically diminishes the effectiveness of current AppSec solutions and dev team productivities. Sharing the insights of the innovative AppSec technologies such as IAST and RASP which are delivering unprecedented accuracy and speed for both application security testing and application runtime protection.

See how these revolutionary AppSec technologies are freeing scarce and valuable technical resources to be better allocated.

Speaker: Jeff Chen

Jeff is the VP of Contrast Security APAC. He started Parasoft Asia/Pacific in 2003 and manage the Parasoft APAC operation until 2012. He has extensive experience in Static Analysis, Unit Testing, Service Virtualization, Test Automation and SDLC processes. Prior to Parasoft; Jeff was involved with multiple Cyber Defense projects with Taiwan MND; representing Northrop Grumman’s Network Early Warning Systems (NEWS) and etc. Topic B: "Hunt for Cold War-like Sleeper Malware" In a short, 30mins presentation, Onn Chee will walk through a case study of a Cold War-like malware which had masqueraded as a "goodware" and was actively used by users for more than a year without any adverse impact. Learn why the organisation's enterprise-grade sandbox and EDR solutions were not able to detect the sleeper malware. Just like the Cold Ware sleeper agents who browsed the newspapers' classifieds every day for activation code, the sleeper malware came on live after more than 1 year of usage and wiped off all user data in the users' endpoint. In the end, it is still the manual grunt work of investigation that helps to identify this sleeper malware. A demo version of the malware was recreated and will be used to demo the MO of the sleeper malware.

(All identities - organisation, security products and malware - will be anonymised due to NDA)

Speaker: Onn Chee

Onn Chee has been a n00b in infosec for 18 years.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

2017
August 2017 Meetup: APNIC Security Engagement in the AP Region

Date: 16 August 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore APNIC Security Engagement in the AP region APNIC is one of the 5 regional internet registries responsible for allocating and registration of Internet number resources (IP addresses & AS Number). In the last 3 years APNIC has been working with different stakeholders in the AP region to promoting security best practices in areas like security incident handling &  response. In addition to sharing his experience, Adli will also highlight some of the opportunities and challenges AP region.

Speaker: Adli Wahid

Adli Wahid is a Senior Internet Security Specialist at the Asia Pacific Network Information Centre (APNIC) based in Brisbane, Australia. He is responsible APNIC’s cyber security engagement and capacity building activities in the region. Adli is also a board member of the Forum of Incident Response and Security Teams (FIRST.org). Prior to joining APNIC, he was the Head of Malaysia CERT (MyCERT) and a member of Bank of Tokyo Mitsubishi-UFJ CERT (MUFG-CERT).

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

June 2017 Meetup - 2 topics
Date: 14 June 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore Topic A: Cyber Technical Surveillance & Counter Measures (TSCM) – Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices Traditional Technical Surveillance has changed from large audio and video eavesdropping devices heavily reliant on Radio Frequency to miniaturised devices that use cellular & wifi. No longer do you need a static listening post nearby but you can access the covert feeds anywhere in world through cheap readily available technology.

This talk will look at how the world of technical surveillance has changed, why it uses cellular & wifi, what is a cyber TSCM, gaps in current IT Pen tests and how 5G will accelerate the threat.

Speaker: Jason Wells

Jason is the CEO of QCC Global (Asia), a company that specialises in Technical Surveillance and Counter Measures (TSCM) and Digital Forensics.

His 30 years of experience spans public and private sector from leading the:

- Global team for Business Risk & Control Management within HSBC Financial Crime & Regulatory Compliance,

- Corporate Security & Anti Illicit Trade Manager in British American Tobacco in the Middle East,

- UK military attaché in Damascus, Syria or the Head of Overseas Intelligence team for the British SAS, special forces

Having a honours degree in IT, was qualified as a CISSP and holds post graduate diplomas in Security & Risk Management and Anti Money Laundering Jason has both extensive experience and technical expertise. Topic B: Singapore Threat Brief The threat environment on the Internet is a constantly evolving arms race, and the activities of adversaries vary greatly by geography, industry, and even individual websites. As a result, security managers often seek the latest attack information that is relevant to their specific country and industry in order to predict what they should look for in the present and how attacks will evolve in the future. The Singapore threat report serves to inform approaches for security professionals to improve their defensive posture.

2nd Speaker: Dawson Sewo (CISSP, ITIL, CCSK) – Senior Enterprise Security Architect, Akamai Technologies Asia-Pacific & Japan

As an Enterprise Security Architect in Akamai, Dawson focuses on network security and application security. He has more than 16 years of IT and security experience working in telco, managed hosting and cloud security companies. He has also obtained numerous certifications around areas of network, hosting and security.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

March 2017 Meetup: "Have I been pwned?" and "Your Arsenal to bypass restrictions"
Date: 28 March 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: Have I been pwned? "Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc. Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich Topic B: Your Arsenal to bypass restrictions based on IP counters PyMultiTor tool – Many mitigation devices (FW, WAF, Anti-DoS) are detecting attacks based on certain IP address that sends many requests. The tools showcases that it’s not enough to have such protection. It is unique because it is easily integrated in any attacking tool (written in python programming language).

Speaker: Tomer Zait

Tomer Zait, from F5 Labs (part of F5 Network), has worked in a range of professions in the security industry (W.A.F Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time he developed open source projects (most of them are security tools). Tomer is a 3 Times Winner of the Israeli Cyber Challenge (CTF). His projects include: x64dbgpy; PyMultitor; SubDomain-Analyzer; AutoBrowser; phantom-requests.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Attacker’s Perspective of Active Directory
Date: 28 Feb 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

This talk is a compilation of Red Team’s Tactics, Techniques and Procedures to fully compromise an Active Directory environment. The emphasis will be on post-exploitation techniques that attackers/red teamers have been abusing for years, however they were not well documented until recent years. Apart from offensive techniques, mitigation and detection methods will be covered as well.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Sunny Neo Sunny is a Penetration Tester with BT Security, Ethical Hacking Centre of Excellence, a global team that performs security testing for various industries. Besides his day job, he teaches Ethical Hacking at Temasek Polytechnic as an Adjunct Lecturer, and is one of the CREST Assessors in Singapore. He is certified with CCT APP, OSCE, OSCP and GXPN. He has 1 year plus of working experience.

2016
Conducting Threat Modeling in Agile Development

Date: 14 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

With the increasing demand for continuous application delivery in the fast pace application development methodologies, we see the rapid change in security verification & validation activities also. On the same way, traditional threat modelling has to be adapted to fit into agile development culture. This session will focus on how we can introduce automaticity and repeatability in the threat modeling process and identify the threats in the application. Also how we can map the threat modeling outputs to security requirements to give better visibility to release manager or product owner about the possible business risk.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Suman Sourav Suman has more than a decade experience in designing software security defense programs and is passionate about integrating security into the development life-cycle. He has worked with various financial and non-financial institutions to implement software security life-cycle.

Suman believes in a purpose driven life, acting with integrity, honesty, and honour. Professionally he looks to add value to his skills by reaching out, learning, and building relationships with those in his community, as well as promoting those he believes in.

His complete profile is available on http://www.sumansourav.com

Ransomware in Web Apps

Date: 5 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In recent years, ransomware has become a major problem for individuals and enterprises alike. A large attack surface, low barriers to entry and good rewards make it a very attractive option for attackers. We are already seeing hackers try out new infection vectors like social media (http://www.digitaltrends.com/computing/locky-ransomware-self-downloading-image-files/) and targets like IoT and PoS systems (http://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomware-cybersecurity-muni). In this talk, we will demonstrate and show PoC exploits on how ransomware can move up the stack from desktop apps to enterprise apps using a novel attack vector of library dependencies and package managers. Protecting and securing your software supply toolchain is going to be of paramount importance against such threats.

Food and drinks are provided, courtesy of Akamai!

Speaker: Mark Curphey Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.

Data Exfiltration over DNS

Date: 12 July 2016 7 pm to 9 pm

Venue: BridgingMinds Network, 190 Middle Road, #12-10/11 Fortune Centre, Singapore 188979

Come and join us to learn how data can be leaked via DNS. Learn how such techniques can bypass NGFW and watch a live demo of how such attack can occur. The speaker will also walk through actual case studies of past incidents.

Food and drinks are provided. ;-)

Speaker: Starting off as a military based SOC operator, Yeo Deng Jie (DJ) carries with him over 10 years of network security experiences working with leading companies like AlgoSec, Palo Alto Networks and Infoblox. With cyber defense always at the top of his mind, he provided network security assessment workshops for many organizations in ASEAN, reviewed their network security posture for vulnerabilities. In a few occasions, DJ was called back by the organization when the security gaps he highlighted were subsequently exploited by the attackers. In Infoblox, DJ focuses on data leakage over DNS, defense against DNS DDoS and exploits, which are some of the least addressed security gaps in many organizations today.

2015
Learn Web Attacks using OWASP WebGoat, A Demo

Date: 15 Dec 2015 7:30 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

A lot of us talk about various security attacks on the web, but do we actually know how they are done in real time and where's the problem in coding? This demo will showcase how attackers are misusing the web application to bypass security controls. Following attacks will be covered in the demo: 1. Path Traversal attack 2. Bypassing functional access control 3. Bypassing data access control 4. AJAX security loopholes (DOM injection, XML Injection, JSON injection, Silent transaction attacks) 5. Cross Site Scripting (Reflected, Stored and DOM based) 6. SQL Injection (numeric and string based) 7. Malicious file uploads and impact on back-end servers This is purely a demo and doesn't involve any PPT. So, this is only for technical people.

Speaker: Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training's on various SAST and DAST tools to application security engineers across different industries.

Security In The World Of CI-CD

Date: 26 Nov 2015 730pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at, building, testing, and releasing software, faster and more frequently. These principles help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day.

In the same vein, the practice of continuous delivery further extends CI by making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid.

So, in this rapid and fast world of CI-CD, focusing on highly scalable & highly portable software landscape, which offers high usage oriented web apps, the security landscape has really reached to cutting edge point.

This talk, will focus on how to posturize security with this fast pace world, covering most of all security verticals.

Speaker: Aniket Kulkarni, carries decade+ of software security experience flowing from QA, Development & Architecture. Currently he works as Software Security Architect (Bigdata\Cloud\Mobile\Web), in Autodesk Singapore R&D, one of world class design software developing companies across the globe.

For more information about Aniket, kindly get connected with him on linkedin: https://sg.linkedin.com/pub/aniket-kulkarni/10/653/202, and he will be happy to interact with you for various security related discussions.

OWASP Zed Attack Proxy Advanced Features - A Demo

Date: 29 Sep 2015 7pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. Over the past few years, it has significantly grown its popularity, features and contributions from WW engineers, as it comes straight out of the OWASP community, absolutely free of cost and most of all, easy to use! This demo-based training session covers the basics and advanced features of ZAP, which will enable application developers to understand and automate the tool usage, application testers to perform security tests and security engineers to provide consultation on best-practices of using the tool.

Speaker: Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training's on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.

Introducing Application Security in Your Organization - Think Like a Developer

Date: 22 Jan 2015 7pm

Venue: SR10 (Seminar room 10), COM1 Building #02-10, 13 Computing Drive, NUS, Singapore 117417

In this session, the speaker, Sandeep Nain, from HP Australia and a former co-lead from OWASP Melbourne Chapter, will cover the following topics:

1. How to build secure development lifecycle for development teams using modern software development methodologies

2. Challenges of enforcing secure development lifecycle at an enterprise scale

3. Reasons why most application security programmes fail and how we can collaborate with development teams for easier enterprise adoption

Come join us for our 1st 2015 meetup which comes with free pizzas and soft drinks, courtesy of HP Fortify.

PS: Please take note of our new meeting place in NUS.

2014
Mobile Security

Date: 21 October 2014 7pm

Venue: Cavenagh Room, UOB Conference Suite, Basement 1 Tower 2, One Raffles Place, Singapore 048616

In this session, our fellow OWASP member, Cecil Su, will share the current mobile security threat landscape. Coupled with this, he will also share some of the challenges in the mobile application assessment process, as well as address some of the existing methodologies and frameworks for secure coding and security testing of mobile applications.

Cecil is 24-by-7 OWASP Evangelist. However, Mondays to Fridays, he works with the Professional Security Services team in a pure-play local InfoComm Security firm. Extra-curricular activities include the Honeynet Project, OWASP and AISP.

PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.

Information Security Seminar (ISS) 2014

Date: 26-27 August 2014

Venue: Marina Bay Sands Convention Centre

The Information Security Seminar is an annual event held since 2008 to provide thought leadership on infocomm security as well as to promote greater understanding of the key infocomm security issues and challenges faced by public and private sector organisations. This event is jointly organised by the Infocomm Development Authority (IDA), the Association of Information Security Professionals (AiSP) and the Cyber Security Awareness Alliance (CSAA) to amalgamate expertise, resources and communication channels in reaching out to both the public and private sector organisations.

The theme for the 2014 Seminar is “Security of Our Cyber Environment – Challenges of the Mobile Workspace”, which centres on sensitising the Public and Private sectors on the need to heighten vigilance in securing organisations’ digital information, and to build capabilities to prepare against ever evolving infocomm security threats. With the advent and adoption of new technology trends such as mobility, cloud computing and big data management, organisations need to be guarded against their inherent security risks, such as data loss, that may result due to improper infocomm security management. The seminar will discuss on the areas of security considerations and means to secure these technologies from exploits.

The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.

For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis. Thereafter, you are entitled to a 10% discount off the list prices.

Please email me to register.

Do sign up soon and see you at ISS 2014!

2nd July Meetup with 2 speakers 

Date: 21 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

Come and hear from 2 great speakers in this meetup, which comes with free pizzas and soft drinks, courtesy of Checkmarx.

Our first speaker is a familiar to us - Arshad Noor. He will be presenting on "A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?"

The 2nd speaker is Kobi Tzruya, Director of Pre/Post Sales in Checkmarx. He will be sharing on 2 case studies on source code review with focus on technical resolution challenges.

Many thanks to Dick and Prudential for providing the venue for our chapter evening again!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 July 2014 730pm.

See ya!

OWASP Top 10 Proactive Controls

Date: 4 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

You have heard of the OWASP Top 10 Web Application Risks. Now, hear about OWASP Top 10 Proactive Controls to learn about active steps you can take to avoid the common web application risks.

The speaker is Jim Manico, a member of OWASP Global Board. He is the lead behind the excellent OWASP Cheat Sheets on top of many other OWASP projects that he is leading. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 18+ year history building software as a developer and architect.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings! In such short notice too!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 4 July 2014 1230pm.

See ya!

Covert Redirect Vulnerability

Date: 18 June 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Wang Jing, will share on the following:

Unvalidated Redirects and Forwards, also known as Open Redirect, is on the OWASP top 10 list in 2010 and 2013. One repercussion of the vulnerability is that it can be used for phishing attacks. According to Kaspersky, in 2012-2013, 37.3 million users around the world were subjected to phishing attacks — up 87% from 2011-2012. This presentation introduces a new kind of attack, Covert Redirect. The name is derived from and to contrast with Open Redirect. Covert Redirect could affect those who use OAuth 2.0 and OpenID to “login” websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and many others. We will then simulate a Covert Redirect attack and provide some precautionary steps that companies can take to ensure security.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 June 2014.

See ya!

OWASP Cornucopia

Date: 23 April 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gondrom, will share on the following:

Bringing fun into threat modelling. Based on Microsoft's Escalation of Privilege (EoP) threat modelling card game, OWASP has designed this card game into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide and other sources. We will also have a few card decks to show and share.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Tobias Gondrom, OWASP Global Board Member Tobias Gondrom has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 22 April 2014.

See ya!

HTML5 Security

Date: 12 March 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Aatif Khan, will share on the following:

HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threat which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Aatif Khan Aatif Khan, Application Security Evangelist, has delivered highly technical security training for conferences, universities, and corporate clients like Bank of America, Verizon,Amazon, Google, Yahoo, etc. to excellent reviews. He is also one of the main founding member of HDCRB (Hack Defense Certification Review Board). Aatif consults for application security, and is having specialization in security assessments/penetration testing, infosec training's, and reverse engineering/malware analysis.

Apart from his stupendous exposure in application security consulting from seven years, he has also worked with Defense Personnel, Cyber Crime Police Officials and has also delivered over more than 2000 hours of Information Security training to IT Security Professional's & Government Agencies. He has authored Books entitled "Ethical Hacking", "Advance Penetration Testing", "Backtrack Starter Manual" published by Packt Publications, UK.

He is popularly known for designing the most advance course on "Advance Penetration Testing" with his Lab Book & Lab Exam, and has received stupendous feedback from top notch security experts. You can find more about him here - facebook.com/thenapsterkhan

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 11 March 2014.

See ya!

2013
Managing Web & Application Security with OWASP – bringing it all together

Date: 18 July 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gundrum, will share on the following:

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 July 2013.

See ya!

Wordpress (In)Security: How hackers bypassed manual defacement monitoring

Date: 30 May 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

In this presentation, the speaker, Onn Chee, will share on the following:

Onn Chee will walk through a case of web defacement of Wordpress by hackers which outwitted the manual defacement services offered by managed security services providers.

He will also share some tips on how to better secure Wordpress deployments.

If you are running Wordpress, come and share your experiences and security tips too.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 29 May 2013.

See ya!

Bypassing Local Microsoft Security Policies

Date: 28 Feb 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st meetup of 2013!

In this presentation, the speaker, Paul Craig, will share on the following:

Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.

Speaker Profile

Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 28 Feb 2013.

See ya!

2012
AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 14 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 7th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Ryan Baxendale will share on these topics:

- Tips and tricks for hacking Microsoft SharePoint sites.

- Taking advantage of administrative interfaces to get shell.

- Breaking end to end encryption implemented in JavaScript.

- Weak two factor authentication and how to get around it.

- Abusing poorly designed password reset functions to get admin access.

- Bypassing a web application firewall.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 12 Nov 2012.

See ya!

AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 7 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 6th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Onn Chee will share some latest discoveries of web attacks and walk through a short 30-min introduction to the IT impact of the new Singapore Personal Data Protection Act.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 5 Nov 2012.

See ya!

AISP-OWASP: WAFs - An attacker's perspective

Date: 29 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 5th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernhard will look at the effectiveness of WAFs from the perspective of a long-time security tester.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 26 Oct 2012.

See ya!

AISP-OWASP: Dynamic Web Defense

Date: 22 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 4th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernard, will share on the latest developments in dynamic web defense techniques used by WAFs.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 Oct 2012.

See ya!

AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks

Date: 3 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 3rd session of the joint AISP-OWASP series of chapter evenings!

It has long been rumored that the Chinese government has an army of trained hackers to carry out national level attacks. Taiwan, despite being their closest neighbor in terms of language and culture, become a convenient target and constant victim since they have opposing political stance.

As Taiwan has been moving into e-government since 2005, this phenomenon forced the Taiwanese government to strengthen their IT security, especially on application security.

In this presentation, the speaker, Kae Bin, will share some common attacks that was observed and how does Taiwan react to those constant bombardment from their friendly neighbor.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 1 Oct 2012.

See ya!

AISP-OWASP Joint Series: Security Testing with OWASP ZAP

Date: 18 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 2nd session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

12 Sep 2012

1) Use of OWASP ESAPI to defend against OWASP Top 10 Risks by Wong Onn Chee

18 Sep 2012

2) Use of OWASP ZAP to assess security of web application by Cecil Su

3 Oct 2012

3) Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks by Tan Kae Bin

11 Oct 2012

4) Dynamic Web Defense by Bernard Tan

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to secretariat@aisp.sg latest by 16 Sep 2012.

See ya!

AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks

Date: 12 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

12 Sep 2012

1) Use of OWASP ESAPI to defend against OWASP Top 10 Risks by Wong Onn Chee

18 Sep 2012

2) Use of OWASP ZAP to assess security of web application by Cecil Su

3 Oct 2012

3) Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks by Tan Kae Bin

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to secretariat@aisp.sg latest by 10 Sep 2012.

See ya!

HITBSecConf2012 - Malaysia: #TenYearsInTheBox



Date: 8th - 11th October

Venue: InterContinental, Kuala Lumpur, Malaysia

Website: HITBSecConf2012 Malaysia Portal

To commemorate TEN YEARS of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia (#HITB2012KUL) will be welcoming back on stage over 42 of our most popular speakers from the last 10 years!

Here's your chance to meet the legends of the computer security industry including the likes of John ‘Captain Crunch’ Draper, The Founders of The Pirate Bay, Mikko Hypponen, DNS guru and president of ISC, Paul Vixie,OpenBSD creator Theo de Raadt and even members of the LEGENDARY iPhone Dev Team and jailbreak DreamTeam will be on hand for a very very special iOS / OS X panel discussion! Featuring @MuscleNerd @pod2g @planetbeing and joined by non other than Charlie @0xcharlie Miller and Stefan @i0n1c Esser!

The event takes place on the 8th till 11th of October and as always we kick off the first two days with 8 tracks of hands on technical training sessions (8th and 9th October) followed by the 2-day triple track conference with NO KEYNOTES, NO LAB SESSIONS and NO SIGINT slots.

We’re also ramping up this year’s show by expanding on HITB favorites – including an expanded CommSec village with an updated round-the-clock 36 hour nonstop Capture The Flag competition and also an expanded 36 hour HackWEEKDAY hackathon to go with it. Registration for HackWEEKDAY is COMPLETELY FREE and we strongly encourage professional developers and students to sign up.

Do note that there will only be a maximum of 1010 seats for the conference on the 10th and 11th of October and registration is already open. OWASP members are entitled to the conference seats at SGD580 (normal price SGD640) - Discount code is limited to the first 15 sign ups on a first-come, first-serve basis.

Register Online: HITBSecConf2012 Malaysia Registration

Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.

23 April 2012 meetup: Rethinking web-application architecture for the Cloud

Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls.

This talk presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this "Regulatory Compliant Cloud Computing (RC3)". Papers describing RC3 can be found on the following websites:

IBM: http://ibm.co/rc3dw

ISSA Journal: http://bit.ly/rc3issa

InfoQ: http://bit.ly/rc3infoq

StrongAuth: http://www.strongauth.com/pdf/RC3-WebAppArch-1.2-2.pdf

Speaker's Bio

Arshad is the CTO of StrongAuth, Inc., a Silicon Valley-based company focused on encryption and key-management for the last 11 years. He is the architect and lead developer of many open-source cryptographic software including CSRTool, StrongKey, KeyAppliance and the CryptoEngine. He has written many papers and spoken at many conferences - most recently at OWASP AppSec 2012 - on the subject of encryption and key-management.

Meetup details

Monday, April 23, 2012 7:00 PM

Prudential Assurance Company Singapore (Pte) Ltd

156 Cecil Street #10-00, Far Eastern Bank Building

Singapore 069544

Please RSVP at http://security.meetup.com/77

See ya!

2011
OWASP Singapore is a Supporting Organisation for Asia Cloud Conference 2011 scheduled to be held the Grand Hyatt Hotel Singapore on 2 Nov 2011

The Asia Cloud 2011 Conference will provide insights and key learning to understand how your organization can take advantage of cloud technologies. Leading industry practitioners will address the emerging cloud technology trends, examine best practices in successfully integrating cloud technologies into the enterprise’s infrastructure and meets various challenges in managing cloud’s performance in the enterprise.

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Priority will be given to those registered members who did not enjoy free complimentary passes before. Contact me @ ocwong@owasp.org if you want one of the complimentary delegate passes.

Note: Conference seats at this event are complimentary to senior-level end users of IT solutions. The fee for other professionals to attend this event is US$995. The Organizer reserves the final right to accept or reject any registrations.



OWASP Singapore is a Supporting Organisation for IDA's Information Security Seminar 2011 from 13-14 April 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.

For other members, you too can enjoy discounted affiliate rates when you register.

Click here to know more about Information Security Seminar 2011



OWASP Singapore is a Supporting Organisation for Info Security Conference 2011 in Singapore on 5 May 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.

Click here to know more about Info Security Conference Singapore



News
OWASP Moves to MediaWiki Portal - 11:31, 20 May 2006 (EDT)

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

The chapter leader is [mailto:ocwong@owasp.org Onn Chee].

Contact Information for Onn Chee is as follow:

Mobile:      (65)  9838 7930

Skype VOIP:   ocwong

Email:      ocwong@owasp.org

OWASP Singapore have combined its activities with Singapore Security Meetup Group (SSMG) since Dec 2007

We are holding our regular joint OWASP-SSMG meetings on the 2nd Thursday of each month.

Do check out http://www.meetup.com/SGSecurityMG/ for the calendar of events.

For our past meetings, please check out http://www.meetup.com/SGSecurityMG/calendar/past_list/

For ease of management, updates on activities will be made on the http://www.meetup.com/SGSecurityMG/, though updates will still be sent to OWASP Singapore mailing list.

OWASP Singapore Get Together on 19:30, 9 Oct 2007 (SGT)

We will meet at Geek Terminal (http://www.geekterminal.com)

Address: 55 Market Street 01-01 Singapore 048941

Telephone No: +65 65570098

Nearest Carpark: Golden Shoe Carpark Nearest MRT: Raffles Place MRT

OWASP Singapore Nov Chapter Meeting on 19:30, 7 Nov 2007 (SGT)

Michael Boman will be presenting "Overcoming USB (In)Security"

Venue : GeekTerminal

OWASP Singapore Dec Chapter Meeting on 19:30, 13 Dec 2007 (SGT)

Venue : GeekTerminal

OWASP Singapore Jan Chapter Meeting on 19:30, 10 Jan 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Feb Chapter Meeting on 19:30, 14 Feb 2008 (SGT)

Venue : SODS, 51 Tras Street (We loved each other so much that we met on Valentine's Day!)

OWASP Singapore Feb Chapter Meeting on 19:30, 13 Mar 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Apr Chapter Meeting on 19:30, 10 Apr 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebGoat by Onn Chee and a Hacking demo by Johnny.

OWASP Singapore May Chapter Meeting on 19:30, 29 May 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebScarab by Rogan and Burp proxy suite by Rick.