London

Thursday, November 8th 2012 (Central London)
Location: Morgan Stanley, 20 Bank Street, Canary Wharf, London E14 4AD

Talks

 * A Short History of The JavaScript Security Arsenal - Petko D. Petkov
 * In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
 * This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.

the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.
 * The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana
 * The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to

Speakers

 * Petko D. Petkov
 * pdp is the founder and leading member of the GNUCITIZEN Information Security Think Tank. He is a recognised information security researcher, security tools developer, penetration tester, frequent speaker at industry events, and published author who has contributed to several best-selling books, numerous popular blogs and online magazines. pdp’s current endeavour is an ambitious project called Websecurify – a unique web application security testing toolkit designed with simplicity in mind. In his own words: "Websecurify is revolutionising the way we use web application security testing tools, opening a whole new world of possibilities".


 * Marco Morana
 * Marco Morana serves the OWASP organization as a project lead and member of the Global Industry Commitee. In his current professional role, Marco is a SVP at large Financial Institution in London, U.K. where he is responsible for managing information security governance, risk and compliance of architecturally significant programs globally. Marco's contributions to OWASP include the application threat modelling methodology of the OWASP secure coding guide, and the introduction to the security testing methodology and value the real risk section of the OWASP security testing guide. As project reviewer, Marco has contributed to reviewing the OWASP Source Code Review Project and the OWASP Security Analysis of Core J2EE Design Patterns Project. Marco has presented on the topic of software and application security at several local chapter meetings and OWASP organized conferences in the USA and Italy, as well as at the CSI and Blackhat security conferences. Marco's work on application and software security has been published in In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal as well as in DHS Software Security Assurance and is currently co-authoring a book on Application Threat Modelling and the Application Security Guide for CISOs.

RSVP
This meeting is free and open to all, however due to the venue we are holding the meeting at we need to have your name on the door for Morgan Stanley security to allow you in the building. Please RSVP at EventBrite to let us know you're planning on attending.

Meeting Sponsor
Refreshments for this meeting will be sponsored by Gotham Digital Science.

If your organisation is interested in sponsoring an upcoming chapter meeting, please email [mailto:justin.clarke@owasp.org Justin Clarke] for more details.

Future Events
Watch this space!

Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members)
Location: Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB

Time: 10:00am - 4:30pm

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

Thursday, March 29th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Jim Manico and Manish Saindane


 * Top 10 Web Defences - Jim Manico ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])
 * We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
 * IronWASP - Manish Saindane ([[Media:IronWASP.pptx|PPTX]])
 * IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Viet Pham and Tobias Gondrom


 * ''Implementing cryptography: good theory vs. bad practice - Viet Pham ([PDF])
 * Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.


 * ''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([PDF])
 * "In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Thursday, February 2nd 2012 ,18:30-21:00
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Sarah Baso, Dinis Cruz, Dennis Groves


 * Security as Pollution (lessons learned) - Dinis Cruz
 * Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010


 * Making Security Invisible by Becoming the Developer's Best Friends - Dinis Cruz
 * Based on Dinis' presentation at OWASP AppSec Brazil 2011


 * How to get a job in AppSec by Hacking and fixing TeamMentor - Dinis Cruz and Dennis Groves
 * This is for students and developers who want to get into the application security space and need to have/show real-world experience.


 * What's Happening on OWASP Today - Sarah Baso
 * This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

Thursday, September 8th 2011
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speaker: Daniel Cuthbert (deck)

Title: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.

Friday, June 3rd 2011
Location: Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Thursday, April 14th 2011
Location: Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.


 * Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit
 * Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

Thursday, February 17th 2011
Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.

Archived Events
For events before 2011, see Archived OWASP London Events

Other Activities
The Leeds UK, London and Scotland Chapters joint response to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.
 * February 2010 - Personal Information Online COP

Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.
 * March 2009 - Entry for Nominet Best Practice Challenge 2009


 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).