London

Chapter Sponsors
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:

 

Meeting Sponsors
The following is the list of organisations who have generously provided us with space for OWASP London chapter meetings:

 

Thursday, 28th September 2017 (Central London) OWASP London Chapter Meeting

 * Call For Speakers is open. If you would like to present a talk on Application Security or related topic at this event please get in touch with OWASP London Chapter Leaders:

Call For Speakers
Call For Speakers is open - if you would like to present a talk on Application Security at future OWASP London Chapter events - please review and agree with the OWASP Speaker Agreement and send the proposed talk title, abstract and speaker bio to the Chapter Leaders via e-mail: owasplondon (at) owasp.org

Thursday, 27th July 2017 (Central London)
Live Stream Recording of this event can be viewed on Facebook here: https://www.facebook.com/OWASPLondon/videos/975849525891671/

This OWASP London Chapter meeting took place on Thursday, 27th July 2017 at 18:30

This event was kindly sponsored and hosted by Just Eat.

Location: Just Eat, Fleet Place House, 2 Fleet Place, London, EC4M 7RF

Nearest Tubes: St. Pauls (6-minute walk), Farringdon (10 minute walk)

Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).

Talks:

 * OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour


 * Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders ([[Media:OWASPLondon20170727_WelcomeTalk.pdf|PDF]])


 * So you thought you were safe using AngularJS? Think again! - Lewis Ardern  ([[Media:OWASPLondon20170727_AngularJS.pdf|PDF]])


 * AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. But while Angular adds much-needed features to the language, it also creates a handful of new security problems for developers to discover and work around. Lewis will walk you through an application that illustrates security issues discovered in real-world applications and will explain the problem with usable solutions.


 * Lightning Talk: OWASP Summit 2017 Outcomes - Dinis Cruz Sherif Mansour  (https://www.slideshare.net/owaspsummit/owasp-summit-debrief-v10-jun-2017)


 * Dinis Sherif will introduce the numerous outcomes delivered during the OWASP Summit 2017 workshops and brain-storming sessions and will discuss the next steps


 * Introducing the OWASP ModSecurity Core Rule Set (CRS) 3.0 - Christian Folini ([[Media:OWASPLondon20170330_ModSecurity_CRS_v3_Intro.pdf|PDF]]) (video)
 * The OWASP CRS is a set of generic attack detection rules for use with ModSecurity (or compatible) Web Application Firewall (WAF) that saw a new major release in November 2016. CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode.

Speakers:
Lewis Ardern
 * Lewis Ardern is a security consultant at Synopsys/Cigital, where he specializes in application security, red teaming, and network assessments. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen, which generates vulnerable virtual machines on the fly for security training purposes. Lewis is currently working toward his PhD in web security.

Christian Folini
 * Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally challenging. With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling. Christian is a frequent committer to the OWASP ModSecurity Core Rules project (he is also the author of the Second Edition of the ModSecurity Handbook), vice president of Swiss Cyber Experts (a public private partnership), program chair of the Swiss Cyberstorm conference and many other things.

Dinis Cruz
 * Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

Sherif Mansour
 * Sherif Mansour has been working in the field of Information Security for the last 13 years, and is currently leading the Software Security Program at JP Morgan Chase and prior to that he was leading the Application Security Program at at Expedia, Inc. Sherif has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter.

RSVP
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.

RSVP at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-27th-july-2017-630pm-tickets-33237474180

Thursday, 18th May 2017 (Central London)
The video recordings of talks from this event are now live on YouTube: OWASP London Chapter May 2017 Meeting Playlist

This OWASP London Chapter meeting took place on Thursday, 18th May 2017 at 18:30

This event is kindly sponsored and hosted by Worldpay

Location: Worldpay, The Walbrook Building, 25 Walbrook, London EC4N 8AF

Nearest Tubes: Bank (take exit 8 towards Walbrook) and Cannon Street (2-minute walk)

Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).

Talks:

 * OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour


 * Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders. Additionally Dinis Cruz will talk about OWASP Summit 2017 ([[Media:Owasplondon-20170518-welcome.pdf|PDF]]) (owaspsummit.org) (video)


 * Threat Modeling Against Payment Systems - Dr. Grigorios Fragkos  ([[Media:DrGFragkos-ThreatModeling-PaymentSystems-OWASP-2017-May-18.pdf|PDF]]) (video)


 * Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly,


 * Lightning Talk 1: OWASP Top 10 2017 Changes - Dinis Cruz (https://www.slideshare.net/DinisCruz/owasp-top-10-2017-rc-comments-observations-and-ideas)


 * Dinis will update us on the latest OWASP Top 10 2017 Release Candidate, the proposed changes and the controversy surrounding the new A7.


 * Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM - Apostolos Giannakidis  ([[Media:OWASP-London-2017-May-18-ApostolosGiannakidis-JavaDeserializationTalk.pdf|PDF]]) (video)


 * A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution.


 * Lightning Talk 2: Security solutions for developers who have no time for security - Edwin Aldridge (video)


 * Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.

Speakers:
Dr. Grigorios Fragkos
 * Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce. He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.

Apostolos Giannakidis


 * Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.

Dinis Cruz
 * Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.

Edwin Aldridge
 * Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming

RSVP
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.

RSVP at Eventbrite: https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-18th-may-2017-630pm-tickets-33237461141

Thursday, 30th March 2017 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 30th March 2017 at 18:30 (we start on time!)

This event is kindly sponsored and hosted by The Telegraph Media Group.

Location: The Telegraph, 111 Buckingham Palace Road, London, SW1W 0DT

Nearest Tube: Victoria (3 minute walk)

Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).

Talks:

 * OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour ([[Media:OWASPLondon20170330_Welcome.pdf|PDF]])


 * Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.


 * Heroes vs Villains: Building an Application Security Program that Scales - Kevin Delaney ([[Media:KevinDelaney_OWASPLondon_03-30-2017.pdf|PDF]]) (video: https://www.youtube.com/watch?v=OS-6i1_eBNA)


 * Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations, and surprise feature requests. Although security teams try to follow the right application security practices, many applications are shipped with fragmented security. The most common denominator is the reliance on dynamic and static testing tools during the final stages of the lifecycle. In this session, learn about the benefits of building security during the requirements phase or the first stage of the software development lifecycle (SDLC).


 * Lightning Talk: Bypassing CSRF Protections: A Double Defeat of the Double-Submit Cookie - David Johansson ([[Media:David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf|PDF]]) (video: https://www.youtube.com/watch?v=2uvrGQEy8i4)


 * Double-Submit Cookie Pattern Protection against cross-site request forgeries (CSRF) is a popular option in stateless applications as it doesn't require the server to store a token value between requests. Instead, the server will verify a token value stored in a cookie against a request parameter. Unfortunately, many popular implementations of this defense pattern can be defeated by attackers and this talk will discuss the misconceptions and pitfalls that may render this protection insufficient. We will look at how the CSRF protection in an AngularJS application using the popular Express.js middleware csurf on the server-side can be defeated. We will also show the options for configuring it securely.


 * PostMessage Security in Chrome Extensions - Arseny Reutov ([[Media:OWASPLondon_PostMessage_Security_in_Chrome_Extensions.pdf|PDF]]) (video: https://www.youtube.com/watch?v=vWwobVQH6os)


 * PostMessage API is a known source of DOM XSS vulnerabilities on web sites. Browser extensions can use messaging too, and if an extension fails to handle incoming messages securely enough it may lead to a universal XSS. This talk will present an analysis of Chrome extensions that aimed at discovering vulnerabilities caused by insecure postMessage listeners in content scripts that are inserted by browser extensions into web pages. The research will demonstrate the examples of vulnerable Chrome extensions and explain the threats which they present to the end-users and how they can be mitigated.

Speakers:
Kevin Delaney
 * Kevin Delaney is an application security professional from Toronto, Canada. With diverse experience in software development, security, and enterprise IT, he takes personal pride in solving challenging security problems and helping businesses stay one step ahead of attackers.

David Johansson
 * David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).

Arseny Reutov
 * Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Research Team and Application Security Tools Development Unit at Positive Technologies Ltd where he specializes in information security issues, penetration testing and the analysis of web applications and source code. He is also the author of various security research papers and the security blog raz0r.name. Arseny has participated in various bug bounty programs and acknowledged by well-known software vendors. He was a speaker at ZeroNights, CONFidence, PHDays and other conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.

Thursday, 26th January 2017 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 26th January 2017 at 18:30 (we start on time!)

This event was kindly sponsored and hosted by J.P. Morgan

Location: 6th Floor, JP Morgan, 60 Victoria Embankment, London, EC4Y 0JP

Nearest Tube: Blackfriars (2 minute walk)  NOTE: JPMorgan Visitor Entrance is not at the above address, but around the corner at John Carpenter Street - please go there upon arrival.

Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)

Talks

 * OWASP Introduction and News - Sam Stepanyan and Sherif Mansour ([[Media:OWASPLondon20170126_Welcome.pdf|PDF]])
 * Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders


 * Identities Exposed: How Design Flaws in Authentication Solutions May Compromise Your Privacy - David Johansson ([[Media:OWASP_London_2017-01-26_David_Johansson_Identities_Exposed.pptx|PPTX]]) (video: https://www.youtube.com/watch?v=KmchjwkYAOw)


 * Substantial effort has been put into the design of secure solutions for authenticating users. However, the privacy of end users has rarely been given as much attention in these solutions. This often leads to design flaws that let the identities of end users be exposed to parties they not necessarily intended to disclose it to. This talk will present a set of privacy requirements for protecting end users during authentication and show some examples of solutions where the end user’s privacy can be compromised because one or more of these requirements are not met. For example, we will see how design flaws in TLS client certificate authentication can be abused by attackers to identify users in both passive and active network attacks, and look at how the upcoming TLS 1.3 standard addresses this.


 * Lightning Talk - Introducing OWASP Summit 2017 - Francois Raynaud, Dinis Cruz  ([[Media:OWASPSummit2017.pdf|PDF]])
 * The organisers of this big event will introduce the tracks and the workshops being planned


 * OWASP-SAMM Maturity Models - Dinis Cruz  (video: https://youtu.be/n6R_pJh3l0w?t=1748)


 * Dinis will talk us through the open source tool he has been building for some time - the tool to perform and visualise the assessments using the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM).

Speakers
David Johansson
 * David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).

Dinis Cruz
 * Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Francois Raynaud
 * Francois is the founder of DevSecCon a conference dedicated to DevSecOps, the fusion of Devops and Secops. He is actively involved in security automation projects supporting continuous delivery and currently working as the enterprise security architect for a global retailer preceded by 17 years at ASOS, Betfair, Verizon Business, HSBC and RSA where his consulting engagement spanned across implementing CERT teams, incident response strategy, security architecture design, IT security management and penetration testing.

RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

RSVP at Eventbrite:

https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-26th-january-2017-630pm-tickets-31043174972

Thursday, 24th November 2016 (Central London)
The next OWASP London Chapter meeting will take place on Thursday, 24th November 2016 at 18:30 (we start on time!)

The videos of talks from this event are available to watch on OWASP London YouTube channel: https://www.youtube.com/OWASPLondon

This event is kindly sponsored and hosted by Empiric.

Location: Empiric offices, 1 Old Jewry, London EC2R 8DN

Nearest Tube: Bank (2 minute walk)

Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)

Talks

 * OWASP Introduction and News - Sam Stepanyan and Sherif Mansour ([[Media:OWASPLondon20161124_Welcome.pdf|PDF]])
 * Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders


 * PCI - The View from the Bridge - Jeremy King ([[Media:OWASPLondon20161124_PCI_View_From_The_Bridge.pptx|PPTX]]) (video: https://www.youtube.com/watch?v=hapZzIKCP0I)


 * The International Director of the PCI Security Standards Council will take us on a journey around some wonderful sights of Europe using the images to reflect on and relate to the challenges and successes that we all face in protecting data. In his talk Jeremy will talk about the potential impact of Brexit on security and will discuss the latest changes in PCI DSS related to TLS, Multi-Factor Authentication and Secure Software Development Requirements.


 * Lightning Talk 1 - OWASP ZAP Official Jenkins Plugin walkthrough & Demo - Goran Sarenkapa ([[Media:OWASPLondon20161124_ZAP_Jenkins_Plugin_Intro.pdf|PDF]])
 * Goran will walk us through the steps to configure and use the new Official ZAP Plugin for Jenkins and will demo a test run with generated HTML reports.


 * Lightning Talk 2 - myBBC Security Council - What It Means To You - Shane Kelly  ([[Media:OWASPLondon20161124_SecurityCouncil.pptx|PPTX]])


 * Shane will talk about myBBC Security Council and how it demonstrates an organisational approach towards security that ensures the right decisions are made by the right people, and that developers can raise concerns knowing that they will be seen and escalated. It also frames InfoSec as an enabling force rather than a loophole


 * JSON Hijacking - Gareth Heyes ([[Media:OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf|PDF]]) (video: https://www.youtube.com/watch?v=NlLzI7U5L6s)


 * JSON hijacking is supposedly dead after the Array constructor and "Object.prototype" setter bugs have been patched or is it? This talk will show how it's still possible to steal JSON data cross domain using various browser bugs. Gareth will take us on an epic journey of bug discovery and if we have time he may even bypass CSP for fun.

Speakers
Jeremy King


 * Jeremy is the International Director of the PCI Security Standards Council. He leads the PCI Council's efforts in increasing adoption and awareness of the PCI Security Standards internationally. In this role, Mr. King works closely with the Council's General Manager and representatives of its policy-setting executive committee from American Express, Discover, JCB International, MasterCard, and Visa, Inc. His chief responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SSC managed standards through all international markets, and driving education efforts and Council membership recruitment through active involvement in local and regional events, industry conferences, and meetings with key stakeholders. He also serves as a resource for Approved Scanning Vendors, Qualified Security Assessors, Internal Security Assessors, PCI Forensic Investigators, and related staff in supporting regional training, certification, and testing programs.

Gareth Heyes


 * Gareth works as a researcher at Portswigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed code. Gareth has been a speaker at many security conferences including the Microsoft BlueHat, Confidence Poland, and OWASP Application Security Conferences. Gareth also co-authored the "Web Application Obfuscation" book,  which was named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews

Shane Kelly


 * Shane is a Senior Software Developer at The BBC, with a keen interest in security. Prior to the BBC he worked for the travel aggregator Travelfusion, and the anti-money laundering firm Fortent (formerly Searchspace).

Goran Sarenkapa


 * Goran is a core member of OWASP ZAP development team and a lead developer on OWASP ZAP Jenkins plugin project

RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

RSVP at Eventbrite:

https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-24th-november-2016-630pm-tickets-29073490593

Monday, 28th November 2016 (Central London) OWASP London Hackathon Workshop and CTF
We are excited to announce the OWASP London Hackathon and CTF event which will be taking place on the evenings on 28th and 29th of November 2016 in Central London.

CTF (Capture The Flag) is a type of computer security competition. Contestants are presented with a set of challenges and puzzles which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories and when solved, each yields a “flag” which is submitted to a real-time scoring service. The difficulty levels are from beginner to advanced.

CTF tournaments are a great and fun way for software developers to learn a wide array of applications security skills in a safe and legal environment.

This event is kindly hosted and sponsored by: ThoughtWorks London

Location: ThoughtWorks, 76 Wardour Street, London, W1F 0UR

Nearest Tubes: Piccadilly Circus (6 minute walk), Leicester Square (6 minute walk), Tottenham Court Road (9 minute walk), Oxford Circus (9 minute walk)

Schedule

Evening 1: Monday 28th November 2016, 6pm doors open for 6:30pm kick-off 9:30pm finish
OWASP London Hackathon/Training Workshop (game-based)

Learn how to hack web applications (and how to code to protect them from common security threats) in a fun, interactive and safe environment. Most programming languages supported.

Evening 2: Tuesday 29th November 2016, 6pm doors for 6:30pm kick-off 10:00pm finish and prize-giving
OWASP London Capture The Flag (CTF) competition

Practice your hacking skills and compete against other participants and teams - solve challenges and puzzles, capture flags, score points and win prizes!

IMPORTANT: Please bring your own LAPTOP and a charger for it to both evenings.

Snacks and drinks will be provided throughout both evenings.

Top 3 scorers will win exciting prizes generously provided by security technology vendors.

Participation is FREE, but the number of seats is strictly limited and reservation is required to attend.

Please note that tickets to each evening should be booked separately.

You can choose to come to the Workshop only, CTF competition only or both events.

Spread the word within your organisations and get your developers to join.

Remember to bring your own laptop!

Booking link
Please note that there are two separate dates for this event and you should book tickets to both dates if you are planning to attend both the Hackathon workshop and the CTF competition:

https://www.eventbrite.co.uk/e/owasp-london-hackathon-and-ctf-tickets-29190020136

Thursday, 29th September 2016 (Central London)
This event was kindly sponsored and hosted by Skype (Microsoft)

The videos from this event are available to watch on OWASP London YouTube channel: https://www.youtube.com/channel/UC-CfoAEpdpkB_jYrydYrqSA

Location: Location: Skype (Microsoft) offices: 2 Waterhouse Square. 140 Holborn, London EC1N 2ST

Nearest Tube: Chancery Lane

Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)

Talks

 * OWASP Introduction and News - Sam Stepanyan and Sherif Mansour ([[Media:OWASP20160929_Welcome_Intro.pdf|PDF]])
 * Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders


 * Lightning Talk 1 - Can Your Organisation Survive a Poli-Cyber Breach ? - Khaled Fattal ([[Media:OWASP20160929_Survive_Cyber_Attack.pdf|PDF]])


 * With the rise of the new breed of cyber-terrorism perpetrated by extremist groups such as ISIS/Daesh, an alarming new dimension has been added to the threat landscape


 * The Thermostat, The Hacker, and The Malware - Ken Munro and Andrew Tierney ([[Media:OWASP20160929_Thermostat_PTP.pdf|PDF]])


 * Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.


 * Lightning Talk 2 - Telling The Time - Chris Anley ([[Media:OWASP20160929_Telling_The_Time.pdf|PDF]])


 * Fairly regularly on consultancy jobs, you encounter a "random" number that is actually just the time, or a PRNG seeded with the time, or a hash of the time, etc.. If you had to guess the time on a remote server to a tolerance of a microsecond, how many requests would it take?


 * Node.js Security - Still Unsafe At Most Speeds ([[Media:OWASP20160929_NodeJS_Security.pdf|PDF]]). Surrogate Dependencies in Node.JS ([[Media:OWASP20160929_NodeJS_Surrogate_Dependencies.pdf|PDF]]) - Dinis Cruz


 * Abstract TBC

Speakers
Ken Munro

Ken Munro is a successful entrepreneur and is founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. He takes a key role in conducting investigations as well as encouraging team members to pursue their own research, the results of which are published on the company blog and in the wider media. Ken has a wealth of experience in penetration testing but it’s the systems and objects we come into contact with on an everyday basis that really pique his interest. This has seen him hack everything from hotel keycards, to cars and a range of Internet of Things (IoT) devices, from wearable tech to children’s toys (Cayla) and smart home control systems. Ken has been in the infosecurity business for 15 years.

Andrew Tierney

Andrew Tierney is a security consultant at Pen Test Partners. Prior to this he gained notoriety for his blog where he documented his findings regarding embedded systems such as routers, intruder alarms, thermostats, IP cameras, and DVRs. He expanded his skills into the realms of IoT web applications and mobile applications before joining the team. With a background in electronic engineering, Andrew employs some novel techniques for attacking embedded systems, such as simple and differential power analysis, firmware recovery, and glitching attacks. He has experience in both writing and disassembling a multiple of architectures, including ARM, MIPS, x86, AVR, and PIC, he is capable of reverse engineering a wide spectrum of devices from the smallest 8bit microcontoller up to the latest Android phones.

Dinis Cruz

Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Khaled Fattal

Khaled Fattal is the Group Chairman of The Multilingual Internet Group. He is also the President Advisory Committee Member on Internationalised Domain Names (IDN) at ICANN (Internet Corporation for Assigned Names and Numbers). Khaled has been a strong advocate of Internet multilingualism and is an active promoter of research, development, education & deployment projects which help to make the Internet more usable and inclusive. Recently Khaled has been actively researching the topics of cyber-terrorism from threat actors such as ISIS/Daesh and the rogue states

Chris Anley

Chris Anley is Chief Scientist at NCC Group. He is the author of several innovative papers on application security, including "Advanced SQL Injection", "Hackproofing MySQL" and the paper introducing "Venetian" shellcode. He is the lead author of "The Shellcoder's Handbook", arguably the definitive book on discovering and exploiting arbitrary-code security vulnerabilities, and co-author of "The Database Hacker's Handbook" and "SQL Server Security". He has discovered security flaws in a wide variety of platforms including Microsoft Windows, Apple OSX, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP.

RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

RSVP at Eventbrite:

https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-29th-september-2016-630pm-tickets-27611813678

Thursday, 28th July 2016 (Central London)
This event is kindly sponsored and hosted by Expedia

Video recordings of talks from this event are now available here: https://www.youtube.com/playlist?list=PLmfxTKOjvC_dxWb4Gy07cm5_seNCzZG3q

Location: Expedia.com Ltd, Block 1, Angel Square, London, EC1V 1NS. Nearest Tube: Angel (Northern Line)

Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)

Talks

 * OWASP London Welcome and Intro - Sherif Mansour and Sam Stepanyan
 * Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders ([[Media:OWASP20160728_London_Welcome_Update.pdf|PDF]])


 * CSP STS PKP ETC OMG WTF BBQ... - Scott Helme ([[Media:OWASP20160728_CSP_STS_PKP_ETC.pdf|PDF]])


 * There are a huge number of technologies available to help us better secure our websites, but it can be difficult to know about all of them. In this talk I'm going to show you some of the headline acts in the HTTP Response Header category and just how easy it can be to quickly and effectively boost security and offer better protection to your visitors.


 *  Achieving Secure Continuous Delivery - Lucian Corlan and Chris Rutter ([[Media:OWASP20160428_Achieving_Secure_Continuous_Delivery.pdf|PDF]])


 * There's a lot of discussion around achieving application security automation within the development pipeline. In this talk you will experience an approach to using Threadfix and its "Policies" feature to determine the security exposure of a release and using a tool called Donatello to output the result back into the continuous integration and delivery flows. Additionally, the speakers will be presenting some of their ideas for a second version of Donatello which will be taking a lot more static & dynamic attributes into account in the form of an Application Security Passport.


 *  "Lightning Talk" - Jacks Tool Demo - Lewis Ardern ([[Media:OWASP20160728_Jacks.pdf|PDF]])


 * Become a Source Code Hero With New Code Analysis Tool for Developers, Jacks.

Jacks is changing the way development teams approach the security dilemma, by giving developers the skills they need to own the security of their applications and to build safer apps from the start

Speakers
Scott Helme

Scott Helme is an internationally renowned speaker, security researcher, pen tester, consultant and blogger. Scott is also the founder of report-uri.io and securityheaders.io - free online tools which help thousands of organisations around the globe to deploy better security.

Lucian Corlan

Lucian is a Senior Application Security Solutions Manager at SagePay. Lucian holds a number of security certifications – MSc ITSec, MA Security Studies, CISSP, CSSLP (a), CISM, CISA, CEH, OSCP, SABSA Foundation and has previously worked for Betfair in the InfoSec/AppSec Manager and Acting Head of AppSec roles. Lucian has also led one of the Romanian OWASP Chapters and is still involved in OWASP. Before that he worked for several multi-national organisations in the banking (chip card security & app security) and telecom (infra & app security) sectors. If there’s any free time left…, he spends it meddling with astronomy (planetary & galactic), reading philosophy/crypto detective books and dissecting bits of geo-economy politics.

Chris Rutter

Chris is a software developer who has bought into the crazy idea that software security is a measure of quality, right up there with business functionality and performance. He enjoys perfecting ways to defend his applications from any and all kinds of malicious nasties and educating other developers on said nasties. He has spent the last few years easing PCI-level security practices into an agile, 1 week sprint, continuous delivery environment using a mixture of education, automation and teamwork.

Lewis Ardern

Lewis Ardern is a Consultant at Cigital, Inc. Lewis is Ph.D. candidate at Leeds Beckett researching into Web Security, with a focus on client-side security. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen (https://github.com/SecGen/SecGen) which generates vulnerable virtual machines on the fly for security training purposes.

RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building:

RSVP at Eventbrite:

https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-28th-july-2016-630pm-tickets-26474895124

Thursday, 28th April 2016 (Central London)
This event is kindly sponsored and hosted by Skype (Microsoft) who have been hosting OWASP London Chapter Meetings since January 2014.

Location: Skype(Microsoft), 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST. Nearest Tube: Chancery Lane

Time: Doors Open at 6pm, the talks start at 6:30pm (We start on time)

Talks

 * OWASP London Welcome Intro - Sherif Mansour and Sam Stepanyan
 * Welcome and Chapter Update from the OWASP London Chapter Leaders ([[Media:OWASP20160428_Welcome.pdf|PDF]])

Threat Intelligence ("Lightning" Talk) - Sherif Mansour
 * Introduction into Threat Intelligence ([[Media:OWASP20160428_Threat_Intel.pdf|PDF]])


 * Drones and their Flaws - Aatif Khan ([[Media:OWASP201604_Drones.pdf|PDF]])
 * Drones or Unmanned Aerial Vehicles (UAVs), have undoubtedly attained a prominent position in contemporary and future defense technologies. It has been increasingly used for Surveillance, Reconnaissance and have been planned to stop crude oil theft, to deliver online shopping products and even pizza. It remains important to understand their security and implication. This talk will explore different kind of drones and their associated vulnerabilities hence giving chance to audience to understand their flaws and work for anti-hacking solutions.


 * How (NOT) to Code Your Ransomware - Liviu Itoafa ([[Media:OWASP201604_Ransomware.pdf|PDF]])
 * The presentation will start with a history of ransomware from simple lockers to recent trends. Although currently ransomware follows good secure development practices, this is not always the case. We'll see in what circumstances we can get our files back and how. This will make you think twice before paying the ransom and, for some samples, think twice before clicking that tempting link for 'summer photos'.

Speakers

 * Aatif Khan
 * Aatif Khan is cyber security researcher who comes with over a decade of experience in information security. Apart from consulting on application security, he has also delivered infosec training's to corporate, defense personnel and cyber crime police officials. He has previously presented talk at OWASP Singapore, Malaysia, India and Dubai. He has also authored papers on Advance Persistence Threats, Hacking the Drones, Web Security 2.0, Android Application Penetration Testing.


 * Liviu Itoafa
 * Liviu Itoafa is a security researcher with a strong interest in malware analysis and investigating security incidents. He has been working in the field of Information Security for more than 7 years on developing (secure) software, application pentesting and reverse engineering. He became a coding enthusiast long time ago, when he found out how to do game cheats and many other interesting stuff with the C programming language and a little Assembly.Now, as a security researcher at Kaspersky Labs, he is having fun investigating malware samples. He also runs malware analysis and reverse engineering workshops.


 * Sherif Mansour
 * Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter

RSVP
This event is free to attend for both members and non-members of OWASP. Please note that you MUST RSVP to book your place and to be admitted into the building by the Microsoft(Skype) security reception.

RSVP is now open at Eventbrite:

https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-28th-april-2016-630pm-830pm-tickets-24382285071

Thursday, 25th February 2016 (Central London)
Video recordings of the talks from this event are now available on OWASPLondon YouTube channel

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Time: 18:30 to 20:30 (BST) (We start on time)

Talks

 * OWASP London Chapter announcement - Justin Clark - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
 * The Challenges of Web Application Security in A Contious Delivery World - Sherif Mansour - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
 * Imagine a world where a developer can have her/his code pushed into production a few minutes after its checked in. How do you engrain web application security in such a development pipeline? How do you keep track of the security issues? In this talk we'll discuss some of the security challenges for this paradigm shift and how OWASP can help development teams navigate some of these challenges.
 * New Era of Software with modern Application Security - Video recording: https://www.youtube.com/watch?v=P_RA-0RHKes
 * This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.

Speakers

 * Justin Clarke
 * Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Justin is the outgoing Chapter leader of the OWASP London chapter.


 * Sherif Mansour
 * Sherif Mansour has been working in the field of Information Security for the last 12 years, and is currently leading the Software Security Program at Expedia Inc. He has contributed to the OWASP AppSensor project and his security research has led to a few findings in software developed by Microsoft, Oracle, SAP and SiteSpect. He currently helps manage the Royal Holloway Information Security (ISG) Alumni Group as well as the OWASP London Chapter


 * Dinis Cruz
 * Dinis is creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

RSVP
RSVP is now open at Eventbrite - https://www.eventbrite.co.uk/e/owasp-london-event-february-chapter-meeting-thursday-25th-february-2016-630pm-830pm-tickets-21498714233

Thursday, June 11th 2015 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Time: 18:30 to 20:30 (BST) (We start on time)

Talks

 * OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella
 * How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information.


 * Topic To be confirmed - Justin Clarke
 * Exciting OWASP topic to be confirmed!

Speakers

 * Christian Martorella
 * Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security


 * Justin Clarke
 * Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.

RSVP
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/

Thursday, December 4th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci


 * Offensive OSINT - Christian Martorella and Zigor Zumalde
 * Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks


 * Round-up - Colin Watson
 * OWASP news and Christmas gift (presentation)


 * OWASP Testing Guide v4 - Matteo Meucci
 * The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.

Thursday, September 18th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: John Smith, Joe Pelietier, Colin Watson


 * Global Application Security Survey & Benchmarking - John Smith
 * This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.


 * Anatomy of a Data Breach - Joe Pelletier
 * The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.


 * OWASP Roundup - Colin Watson
 * Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])

Thursday, May 15th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Hacker Fantastic, Colin Watson


 * Heartbleed Teardown - Hacker Fantastic
 * An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.


 * AppSensor 2.0 - Colin Watson (PDF)
 * The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.

Thursday, March 20th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou


 * Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos
 * Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.


 * OWASP WebSpa - Yiannis Pavlosoglou ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])
 * The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.

Thursday, January 16th 2014 (Central London)
Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Justin Clarke, Marco Morana and Tobias Gondrom


 * Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke
 * Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path.  When we initially decided to implement CSP, the BETA version of our website was already live.  Like many sites, our platform grew from something we initially started as a pet project.  Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.   We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime.  Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed.  We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime.  Needless to say we were surprised by what was reported, and we’ll share the results.   Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).


 * 2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom
 * Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Thursday, December 12th 2013 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Ofer Maor and Colin Watson


 * IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor
 * Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...


 * OWASP Cornucopia - Colin Watson
 * Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.

Thursday, October 24th 2013 (Central London)
Location: Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX

Speakers: Dinis Cruz and Justin Clarke


 * Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz
 * This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.


 * OWASP Mobile Top 10 - Justin Clarke
 * The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.

Monday, June 3rd 2013 (London EUTour2013 One Day Conference)
Location: Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY

For full details, including slides and videos of sessions, go to the main EUTour2013 Page and click through to the London event.

Thursday, November 8th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Petko Petkov and Marco Morana


 * A Short History of The JavaScript Security Arsenal - Petko D. Petkov
 * In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
 * This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.


 * The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])
 * The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.

Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members)
Location: Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB

Time: 10:00am - 4:30pm

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

Thursday, March 29th 2012 (Central London)
Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Jim Manico and Manish Saindane


 * Top 10 Web Defences - Jim Manico ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])
 * We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
 * IronWASP - Manish Saindane ([[Media:IronWASP.pptx|PPTX]])
 * IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Viet Pham and Tobias Gondrom


 * ''Implementing cryptography: good theory vs. bad practice - Viet Pham ([PDF])
 * Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.


 * ''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([PDF])
 * "In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Thursday, February 2nd 2012 ,18:30-21:00
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Sarah Baso, Dinis Cruz, Dennis Groves


 * Security as Pollution (lessons learned) - Dinis Cruz
 * Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010


 * Making Security Invisible by Becoming the Developer's Best Friends - Dinis Cruz
 * Based on Dinis' presentation at OWASP AppSec Brazil 2011


 * How to get a job in AppSec by Hacking and fixing TeamMentor - Dinis Cruz and Dennis Groves
 * This is for students and developers who want to get into the application security space and need to have/show real-world experience.


 * What's Happening on OWASP Today - Sarah Baso
 * This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

Thursday, September 8th 2011
Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speaker: Daniel Cuthbert (deck)

Title: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.

Friday, June 3rd 2011
Location: Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Thursday, April 14th 2011
Location: Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH


 * Wordpress Security - Steve Lord ([[Media:Wordpress-security-ext.pdf|PDF]])
 * Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.


 * Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit
 * Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

Thursday, February 17th 2011
Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.

Archived Events
For events before 2011, see Archived OWASP London Events

Other Activities
The Leeds UK, London and Scotland Chapters joint response to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.
 * February 2010 - Personal Information Online COP

Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.
 * March 2009 - Entry for Nominet Best Practice Challenge 2009


 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).