Singapore

Local News
Covert Redirect Vulnerability

Date: 18 June 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Wang Jing, will share on the following:

Unvalidated Redirects and Forwards, also known as Open Redirect, is on the OWASP top 10 list in 2010 and 2013. One repercussion of the vulnerability is that it can be used for phishing attacks. According to Kaspersky, in 2012-2013, 37.3 million users around the world were subjected to phishing attacks — up 87% from 2011-2012. This presentation introduces a new kind of attack, Covert Redirect. The name is derived from and to contrast with Open Redirect. Covert Redirect could affect those who use OAuth 2.0 and OpenID to “login” websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and many others. We will then simulate a Covert Redirect attack and provide some precautionary steps that companies can take to ensure security.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 June 2014.

See ya!

OWASP Cornucopia

Date: 23 April 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gondrom, will share on the following:

Bringing fun into threat modelling. Based on Microsoft's Escalation of Privilege (EoP) threat modelling card game, OWASP has designed this card game into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide and other sources. We will also have a few card decks to show and share.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Tobias Gondrom, OWASP Global Board Member Tobias Gondrom has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 22 April 2014.

See ya!

HTML5 Security

Date: 12 March 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Aatif Khan, will share on the following:

HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threat which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Aatif Khan Aatif Khan, Application Security Evangelist, has delivered highly technical security training for conferences, universities, and corporate clients like Bank of America, Verizon,Amazon, Google, Yahoo, etc. to excellent reviews. He is also one of the main founding member of HDCRB (Hack Defense Certification Review Board). Aatif consults for application security, and is having specialization in security assessments/penetration testing, infosec training's, and reverse engineering/malware analysis.

Apart from his stupendous exposure in application security consulting from seven years, he has also worked with Defense Personnel, Cyber Crime Police Officials and has also delivered over more than 2000 hours of Information Security training to IT Security Professional's & Government Agencies. He has authored Books entitled "Ethical Hacking", "Advance Penetration Testing", "Backtrack Starter Manual" published by Packt Publications, UK.

He is popularly known for designing the most advance course on "Advance Penetration Testing" with his Lab Book & Lab Exam, and has received stupendous feedback from top notch security experts. You can find more about him here - facebook.com/thenapsterkhan

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 11 March 2014.

See ya!

Managing Web & Application Security with OWASP – bringing it all together

Date: 18 July 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gundrum, will share on the following:

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 July 2013.

See ya!

Wordpress (In)Security: How hackers bypassed manual defacement monitoring

Date: 30 May 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

In this presentation, the speaker, Onn Chee, will share on the following:

Onn Chee will walk through a case of web defacement of Wordpress by hackers which outwitted the manual defacement services offered by managed security services providers.

He will also share some tips on how to better secure Wordpress deployments.

If you are running Wordpress, come and share your experiences and security tips too.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 29 May 2013.

See ya!

Bypassing Local Microsoft Security Policies

Date: 28 Feb 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st meetup of 2013!

In this presentation, the speaker, Paul Craig, will share on the following:

Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.

Speaker Profile

Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 28 Feb 2013.

See ya!

AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 14 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 7th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Ryan Baxendale will share on these topics:

- Tips and tricks for hacking Microsoft SharePoint sites.

- Taking advantage of administrative interfaces to get shell.

- Breaking end to end encryption implemented in JavaScript.

- Weak two factor authentication and how to get around it.

- Abusing poorly designed password reset functions to get admin access.

- Bypassing a web application firewall.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 12 Nov 2012.

See ya!

AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 7 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 6th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Onn Chee will share some latest discoveries of web attacks and walk through a short 30-min introduction to the IT impact of the new Singapore Personal Data Protection Act.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 5 Nov 2012.

See ya!

AISP-OWASP: WAFs - An attacker's perspective

Date: 29 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 5th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernhard will look at the effectiveness of WAFs from the perspective of a long-time security tester.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 26 Oct 2012.

See ya!

AISP-OWASP: Dynamic Web Defense

Date: 22 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 4th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernard, will share on the latest developments in dynamic web defense techniques used by WAFs.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 Oct 2012.

See ya!

AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks

Date: 3 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 3rd session of the joint AISP-OWASP series of chapter evenings!

It has long been rumored that the Chinese government has an army of trained hackers to carry out national level attacks. Taiwan, despite being their closest neighbor in terms of language and culture, become a convenient target and constant victim since they have opposing political stance.

As Taiwan has been moving into e-government since 2005, this phenomenon forced the Taiwanese government to strengthen their IT security, especially on application security.

In this presentation, the speaker, Kae Bin, will share some common attacks that was observed and how does Taiwan react to those constant bombardment from their friendly neighbor.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 1 Oct 2012.

See ya!

AISP-OWASP Joint Series: Security Testing with OWASP ZAP

Date: 18 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 2nd session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

12 Sep 2012

1) Use of OWASP ESAPI to defend against OWASP Top 10 Risks by Wong Onn Chee

18 Sep 2012

2) Use of OWASP ZAP to assess security of web application by Cecil Su

3 Oct 2012

3) Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks by Tan Kae Bin

11 Oct 2012

4) Dynamic Web Defense by Bernard Tan

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to secretariat@aisp.sg latest by 16 Sep 2012.

See ya!

AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks

Date: 12 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

12 Sep 2012

1) Use of OWASP ESAPI to defend against OWASP Top 10 Risks by Wong Onn Chee

18 Sep 2012

2) Use of OWASP ZAP to assess security of web application by Cecil Su

3 Oct 2012

3) Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks by Tan Kae Bin

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to secretariat@aisp.sg latest by 10 Sep 2012.

See ya!

HITBSecConf2012 - Malaysia: #TenYearsInTheBox



Date: 8th - 11th October

Venue: InterContinental, Kuala Lumpur, Malaysia

Website: HITBSecConf2012 Malaysia Portal

To commemorate TEN YEARS of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia (#HITB2012KUL) will be welcoming back on stage over 42 of our most popular speakers from the last 10 years!

Here's your chance to meet the legends of the computer security industry including the likes of John ‘Captain Crunch’ Draper, The Founders of The Pirate Bay, Mikko Hypponen, DNS guru and president of ISC, Paul Vixie,OpenBSD creator Theo de Raadt and even members of the LEGENDARY iPhone Dev Team and jailbreak DreamTeam will be on hand for a very very special iOS / OS X panel discussion! Featuring @MuscleNerd @pod2g @planetbeing and joined by non other than Charlie @0xcharlie Miller and Stefan @i0n1c Esser!

The event takes place on the 8th till 11th of October and as always we kick off the first two days with 8 tracks of hands on technical training sessions (8th and 9th October) followed by the 2-day triple track conference with NO KEYNOTES, NO LAB SESSIONS and NO SIGINT slots.

We’re also ramping up this year’s show by expanding on HITB favorites – including an expanded CommSec village with an updated round-the-clock 36 hour nonstop Capture The Flag competition and also an expanded 36 hour HackWEEKDAY hackathon to go with it. Registration for HackWEEKDAY is COMPLETELY FREE and we strongly encourage professional developers and students to sign up.

Do note that there will only be a maximum of 1010 seats for the conference on the 10th and 11th of October and registration is already open. OWASP members are entitled to the conference seats at SGD580 (normal price SGD640) - Discount code is limited to the first 15 sign ups on a first-come, first-serve basis.

Register Online: HITBSecConf2012 Malaysia Registration

Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.

23 April 2012 meetup: Rethinking web-application architecture for the Cloud

Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls.

This talk presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this "Regulatory Compliant Cloud Computing (RC3)". Papers describing RC3 can be found on the following websites:

IBM: http://ibm.co/rc3dw

ISSA Journal: http://bit.ly/rc3issa

InfoQ: http://bit.ly/rc3infoq

StrongAuth: http://www.strongauth.com/pdf/RC3-WebAppArch-1.2-2.pdf

Speaker's Bio

Arshad is the CTO of StrongAuth, Inc., a Silicon Valley-based company focused on encryption and key-management for the last 11 years. He is the architect and lead developer of many open-source cryptographic software including CSRTool, StrongKey, KeyAppliance and the CryptoEngine. He has written many papers and spoken at many conferences - most recently at OWASP AppSec 2012 - on the subject of encryption and key-management.

Meetup details

Monday, April 23, 2012 7:00 PM

Prudential Assurance Company Singapore (Pte) Ltd

156 Cecil Street #10-00, Far Eastern Bank Building

Singapore 069544

'''Please RSVP at http://security.meetup.com/77

See ya!'''

OWASP Singapore is a Supporting Organisation for Asia Cloud Conference 2011 scheduled to be held the Grand Hyatt Hotel Singapore on 2 Nov 2011

The Asia Cloud 2011 Conference will provide insights and key learning to understand how your organization can take advantage of cloud technologies. Leading industry practitioners will address the emerging cloud technology trends, examine best practices in successfully integrating cloud technologies into the enterprise’s infrastructure and meets various challenges in managing cloud’s performance in the enterprise.

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Priority will be given to those registered members who did not enjoy free complimentary passes before. Contact me @ ocwong@owasp.org if you want one of the complimentary delegate passes.

Note: Conference seats at this event are complimentary to senior-level end users of IT solutions. The fee for other professionals to attend this event is US$995. The Organizer reserves the final right to accept or reject any registrations.



OWASP Singapore is a Supporting Organisation for IDA's Information Security Seminar 2011 from 13-14 April 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.

For other members, you too can enjoy discounted affiliate rates when you register.

Click here to know more about Information Security Seminar 2011



OWASP Singapore is a Supporting Organisation for Info Security Conference 2011 in Singapore on 5 May 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.

Click here to know more about Info Security Conference Singapore



OWASP Moves to MediaWiki Portal - 11:31, 20 May 2006 (EDT)

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

The chapter leader is [mailto:ocwong@owasp.org Onn Chee].

Contact Information for Onn Chee is as follow:

Mobile:      (65)  9838 7930

Skype VOIP:   ocwong

Email:      ocwong@owasp.org

OWASP Singapore have combined its activities with Singapore Security Meetup Group (SSMG) since Dec 2007

We are holding our regular joint OWASP-SSMG meetings on the 2nd Thursday of each month.

Do check out http://www.meetup.com/SGSecurityMG/ for the calendar of events.

For our past meetings, please check out http://www.meetup.com/SGSecurityMG/calendar/past_list/

For ease of management, updates on activities will be made on the http://www.meetup.com/SGSecurityMG/, though updates will still be sent to OWASP Singapore mailing list.

OWASP Singapore Get Together on 19:30, 9 Oct 2007 (SGT)

We will meet at Geek Terminal (http://www.geekterminal.com)

Address: 55 Market Street 01-01 Singapore 048941

Telephone No: +65 65570098

Nearest Carpark: Golden Shoe Carpark Nearest MRT: Raffles Place MRT

OWASP Singapore Nov Chapter Meeting on 19:30, 7 Nov 2007 (SGT)

Michael Boman will be presenting "Overcoming USB (In)Security"

Venue : GeekTerminal

OWASP Singapore Dec Chapter Meeting on 19:30, 13 Dec 2007 (SGT)

Venue : GeekTerminal

OWASP Singapore Jan Chapter Meeting on 19:30, 10 Jan 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Feb Chapter Meeting on 19:30, 14 Feb 2008 (SGT)

Venue : SODS, 51 Tras Street (We loved each other so much that we met on Valentine's Day!)

OWASP Singapore Feb Chapter Meeting on 19:30, 13 Mar 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Apr Chapter Meeting on 19:30, 10 Apr 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebGoat by Onn Chee and a Hacking demo by Johnny.

OWASP Singapore May Chapter Meeting on 19:30, 29 May 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebScarab by Rogan and Burp proxy suite by Rick.