London

London

Future Events
Thursday, March 12th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG, starting at 6.30pm (arrive between 6.00pm and 6.30pm), ending by 8.30pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. IMPORTANT: You must RSVP (by sending an email to Hayley French from KPMG (hayley.french AT kpmg DOT co DOT uk) and cc'ing justin AT justinclarke DOT com) if you want to attend.


 * Programme
 * 18:00-18:30 Arrive and make yourselves comfortable.
 * 18:30 Justin Clarke: Introductions from new chapter leader
 * 18:45 Matt Bartoldus: The Software Assurance Maturity Model - Introduction and a Use Case
 * 19:30 Colin Watson: OWASP Global Industry Committee
 * 19:45 Bernardo Damele A. G.: SQL injection: Not only AND 1=1
 * 20:30 End

Topics
 * OWASP Global Industry Committee - Colin Watson
 * The Global Industry Committee was one of six new OWASP committees created during the EU Summit in Portugal last year. Colin Watson will talk about the committee's aims, plan, how to get involved, who it has been engaging with and what else it has been doing in the first few months.
 * Colin Watson's initial work was in the production and process engineering fields, but since completing an MSc in Computation at the University of Oxford in 1995, he has been employed in web software development, with an increasing focus on the security aspects. He is now a consultant in London working with developers, testers, auditors and people from a non-IT background such as business owners, managers, marketers, project specifiers and designers to improve security practices.  Colin joined the OWASP Global Industry Committee in January.


 * The Software Assurance Maturity Model - Introduction and a Use Case - Matt Bartoldus
 * The OWASP CLASP Project has been going through modification to move more towards a maturity model. As a result, the Software Assurance Maturity Model (SAMM) project has been released in a beta version. The goal is to "define a usable security framework with sequential, measurable goals that can be used by small, medium, and large organisations in any line of business that involves software development".  This talk will introduce SAMM and give a brief overview of its contents. We will then discuss how SAMM is currently being used to measure the level of information security activities within an EU based financial organisation's development methodology and providing the framework for implementing such activities into their everyday development activities (SDLC).
 * Matt Bartoldus is an information risk management professional with over 10 years of experience managing and delivering information security projects. Service delivery experience spans the scope of security penetration and vulnerability assessments; regulatory compliance and information security governance consulting; policy and standard development; and security business transformation. Matt is a Co-Founder of and Director at Gotham Digital Science in London.


 * SQL injection: Not only AND 1=1 - Bernardo Damele A. G.
 * The presentation will cover a quick preamble on SQL injection definition, sqlmap and its key features. It will then illustrate the details of common and uncommon problems and respective solutions with examples that a penetration tester or a SQL injection tool developer faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, blind SQL injection algorithm speed enhancements, specific web application technologies IDS bypasses and more.
 * Bernardo Damele A. G. is an IT security engineer based in London (United Kingdom) currently employed as penetration tester and security researcher for a renowned security company. Bernardo spent most of his research time on web application and database management systems security. He is currently the lead developer of sqlmap, a MySQL UDF repository developer and a Metasploit contributor.

Past Events

 * Thursday, December 4th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG

Justin Clarke: SQL Injection Worms for Fun and Profit ([[Media:SPF.pdf|PDF]])

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Dinis Cruz: OWASP Summit 2008 Report

The OWASP Summit 2008 has been a great success. Dinis, also known as Chief OWASP Evangelist, is going to tell us what we've missed.

Justin Clarke: Protecting Vulnerable Applications with IIS7 ([[Media:SQL_Injection_for_Fun_&_Profit.pdf‎ |PDF]])

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.


 * Thursday, September 4th


 * Location: KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

James Fisher: DirBuster & Beyond (PDF)

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

Yiannis Pavlosoglou: JBroFuzz

[Summary will be updated if I get it from Yiannis, but you can always go to the JBroFuzz project homepage for more information.


 * Thursday, July 24th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18:30 Arrive and make yourselves comfortable.
 * 19:00 Dinis Cruz: What is going on at OWASP?
 * 19:20 Colin Watson: Nominet Best Practices Award briefing (PDF)
 * 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns (PDF)
 * 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
 * 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls (PDF) (talk from the recent OWASP AppSec Europe conference in Ghent).


 * Thursday, April 3rd


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 PHP Code Analysis: Real World Examples (David Kierznowski)
 * 20h00 Abusing PHP sockets for fun and profit (Rodrigo Marcos; also available: source code, Flash demo)
 * 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
 * 21h00 Discussion: OWASP Best Practice Challenge 2008 nomination.
 * 21h30 End.


 * Thursday, December 6th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
 * 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques (PPT).
 * 20h15 OWASP London Chapter (discussion).
 * 20h45 PDP: Client-Side Security (discussion).
 * 21h30 End.


 * Wednesday, September 5th (participating in the OWASP Day event). Read meeting notes here.
 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsored the meeting by paying for the costs of the venue.


 * Programme:
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group: For my next trick... hacking Web2.0.
 * 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
 * 21h00 Discussion: "Future of the OWASP London Chapter".
 * 21h30 End


 * Thursday 22nd March
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * Mark O'Neill "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
 * Dinis Cruz "OWASP Spring of Code and Owasp world update " - 30 m


 * Thursday 22nd February
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * by Dinis Cruz (Chief OWASP Evangelist) :
 * OWASP, the Open Web Application Security Project 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * Buffer Overflows on .Net and Asp.Net 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
 * by Ivan Ristic:
 * ModSecurity - 30m


 * Schedule:
 * 6pm - 7pm arrive and grab a drink
 * 7:00 - OWASP, the Open Web Application Security Project, Dinis Cruz
 * 7:45 - ModSecurity, Ivan Ristic
 * 8:15 - Buffer Overflows on .Net and Asp.Net, Dinis Cruz
 * 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
 * 9:00 - Dinner

Other Activities

 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).