Difference between revisions of "Birmingham"

From OWASP
Jump to: navigation, search
 
(20 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Chapter Template|chaptername=Birmingham, UK|extra=Details of your our Chapter Leaders are  here [[Birmingham_Chapter_Leaders]] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-birmingham|emailarchives=http://lists.owasp.org/pipermail/owasp-birmingham}}
 
{{Chapter Template|chaptername=Birmingham, UK|extra=Details of your our Chapter Leaders are  here [[Birmingham_Chapter_Leaders]] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-birmingham|emailarchives=http://lists.owasp.org/pipermail/owasp-birmingham}}
 +
If you would like to submit a talk then please [https://docs.google.com/a/fishermansenemy.com/spreadsheet/viewform?formkey=dEtraldFSkh4YWxPWkxwdVFfcGNGRHc6MQ#gid=0 fill in this form]
  
 +
OWASP is a charitable organisation. Our chapter meetings are free to attend but there are always costs associated with running them. Any amount of donation is appreciated and will be used entirely to enhance the chapter meetings: <paypal>Birmingham UK</paypal>
  
OWASP is a charitable organisation. Our chapter meetings are free to attend but there are always costs associated with running them. Any amount of donation is appreciated and will be used entirely to enhance the chapter meetings: <paypal>Birmingham</paypal>
+
== Sponsors ==
  
== Chapter  News ==
+
Many thanks to our first silver sponsor, [https://www.hedgehogsecurity.co.uk/ Hedgehog Security]
  
'''Planned Chapter Meetings'''
+
[[File:Hedgehogsec.jpg|200px|thumb|left]]
  
March 2012 Venue:TBC
 
  
June2012 Venue:TBC
 
  
September 2012 Venue:TBC
 
  
December 2012 Venue:TBC
 
  
== Next Meeting ==
 
'''Date:''' Thursday 15th December:::  Please RSVP via '''[http://owaspbrum.eventbrite.co.uk eventbrite]''' You must register prior to the event. We have to supply KPMG a list of attendees 24 hours before the meeting. If all tickets are gone please request to go on  the standby list
 
  
'''Location:''' KPMG Offices Birmingham
 
  
One Snowhill
 
  
Snow Hill Queensway
 
  
Birmingham
 
  
West Midlands
+
= Next Meeting =
+
B4  6GH
+
  
Massive thanks to [http://www.kpmg.com/UK/en/WhatWeDo/Advisory/risk-consulting/services/tech-risk/Pages/InformationProtectionBusinessResilience.aspx KPMG] who again are supporting OWASP and giving something back to the community.
+
== Date ==
 +
30th August at 18:30
 +
== Location ==
 +
Birmingham Science Park
 +
Faraday Wharf, Holt Street,
 +
Birmingham, B7 4BB, UK
  
 +
== Tickets ==
  
 +
'''Tickets''' at [http://owaspbrum.eventbrite.co.uk eventbrite]
  
'''Schedule: 18:00 for 18:20 start'''
+
== Talks ==
 +
SC magazine rising star award winner '''David Rook''' will be back in Birmingham to give this months first talk.
  
 +
'''Windows Phone 7 platform and application security overview'''
  
 +
Windows Phone 7 is the latest mobile operating system from Microsoft and is the youngest of all the major smartphone operating systems. Since it was released in late 2010 it has gained a small share of the smartphone market but this is likely to increase significantly with Nokia now using it as the OS for their flagship models.
  
'''18:20-18:30'''
+
The young age of the OS and the small market share size means there has been very little security research carried out against this platform so far. This means that developers and security professionals are working with this platform without a detailed understanding of the security features and potential shortcomings.
  
OWASP Chapter introduction. OWASP values and membership. Chapter information.
+
Security should be part of the DNA of any application which stores or transmits sensitive data but how many of the developers with published applications understand common mobile application security vulnerabilities and more importantly how many know how to prevent them in their own applications?
  
OWASP Birmingham Chapter Leader
+
This presentation will detail the security features of Windows Phone 7 with an emphasis on how developers can produce Windows Phone 7 apps that are free from common mobile application security vulnerabilities.
  
 +
This talk will start by looking at why we should care about mobile security, what the implications are for developers and security professionals and how mobile manufacturers and network operators are now a big part of your threat models and how their approach to security could undermine your application security efforts.
  
 +
I will then focus on the security model and features of Windows Phone 7 and how these features compare to those found in the iOS and Android operating systems.
  
'''18:30 - 19:10'''
+
The final part of this talk will focus on the types of vulnerabilities seen in mobile applications over the past few years and how developers can ensure their Windows Phone 7 apps are free from these vulnerabilities. This will include reviews of insecure and secure code samples from real world applications.
  
'''Talk 1''' ''Agnitio: the security code review Swiss army knife''
+
This talk will arm developers and security professionals with an understanding of the Windows Phone 7 security features and the guidance they need to produce secure Windows Phone 7 apps.
  
Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use.
+
This talk will include demonstrations of Windows Phone 7 security tools that I'm developing such as the Windows Phone App Analyser.
  
This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmes are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010.
+
'''David Rook''' is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja.
  
In this demonstration filled talk I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 80 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.
+
The Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft and the SC Magazine Rising Star 2012. David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser.
  
Agnitio v2.1 will be demonstrated during this talk which will show how Agnitio’s already powerful feature set has been expanded to guidance and questions linked to the OWASP top 10 mobile risks as well as the ability to decompile and analyse Android applications.
 
  
'''Speaker''''' David Rook Application Security Lead - Realex Payments Ltd''
+
'''Jamie Riden''' will be giving a short talk on web application honeypots, from history to current work and how they can be of use in researching current techniques of attackers, and in protecting web servers from exploitation even in the face of programming failures.
  
 +
The talk will include a live demo of a honeypot
  
'''19:30 - 20:10'''
+
'''Jamie''' is a published security researcher, specifically in the field of honeypots. He is an active member of the Honeynet Project, having helped set up the current incarnation of the Project's web server, and has supervised students for various honeypot-related projects for the Google Summer of Code.
  
'''Talk 2:'''  ''Mobile Security - The Tune is Different, The Dance is the Same''
+
He has published several articles on the subject of honeypots, intrusion detection and incident response. He has contributed signatures to the community Snort signature project, http://www.emergingthreats.net/ and has written portions of code for the open source IDS, Suricata
  
Paco Hope will discuss what is fundamentally new about mobile applications, and what is fundamentally not new with respect to securing them. Looking at how the platforms work, their respective app stores, and the role of carriers and their security, we will understand four golden rules to ensuring secure use and development of mobile apps. Whether we are the app developer, security professional, or just someone trying to use their mobile securely, these four rules are important to know.
+
== Participate ==
  
'''Speaker''' Paco Hope, Principal Consultant, Cigital
+
If you'd like to present at one of our meetings then don't forget to fill in the [https://docs.google.com/a/fishermansenemy.com/spreadsheet/viewform?formkey=dEtraldFSkh4YWxPWkxwdVFfcGNGRHc6MQ#gid=0 speaker form]
  
  
'''20:20 -21-00'''
+
= Planned Chapter Meetings =
  
'''Talk 3:'''  ''Mobile Application Security''
+
August 30th 2012 Venue:Birmingham Science Park
  
This talk will start by taking a look at the mobile applosion that we have all witnessed since the Apple App Store was launched on the 11th July 2008. Mobile users have downloaded over 25 billion mobile apps since that day which is roughly 14,000 apps for every minute since Apple launched the App Store. Those kinds of numbers make it clear that mobile apps are big business and that we need to quickly understand how to secure these applications.
+
December 2012 Venue:TBC
 
+
I will show how mobile manufacturers and network operators are now a big part of your threat models and how their approach to security could undermine your application security efforts.
+
 
+
The final part of the talk will focus on Android and iOS applications. I will give an overview of each platform as well guidance on how you should approach security code reviews for Android and iOS applications.
+
 
+
'''Speaker''' ''David Rook Application Security Lead - Realex Payments Ltd''
+
 
+
 
+
 
+
'''Speaker Bio's'''
+
 
+
'''David Rook''' is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja (http://www.securityninja.co.uk).
+
 
+
In 2010 the Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft. David has recently become one of the first mentors in the Information Security Mentors project helping young people progress their information security careers.
+
  
  
'''Paco Hope''' is a Principal Consultant with Cigital, Inc. and has 12 years of experience in mobile security, embedded security, web software security and operating system security. He has led numerous engagements assessing source code and implementations of mobile phones, lottery systems, casino gaming devices, smart cards and web applications. He is the co-author of The Web Security Testing Cookbook and Mastering FreeBSD and OpenBSD Security. Mr. Hope also serves on the Application Security Advisory Board of (ISC)2, acting as a subject matter expert for the Certified Information Systems Security Professional (CISSP) and the Certified Secure Software Lifecycle Professional (CSSLP).
+
= Past Events =
  
 +
[[2012_06_06_Birmingham|6th June]]
  
 +
[[2012_23_03_Birmingham|23rd March]]
  
== Past Events ==
+
[[2011_15_12_Birmingham|15th December]]
  
 +
<headertabs />
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 
[[Category:United Kingdom]]
 
[[Category:United Kingdom]]

Latest revision as of 02:40, 29 June 2012

OWASP Birmingham, UK

Welcome to the Birmingham, UK chapter homepage. Details of your our Chapter Leaders are here Birmingham_Chapter_Leaders
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG If you would like to submit a talk then please fill in this form

OWASP is a charitable organisation. Our chapter meetings are free to attend but there are always costs associated with running them. Any amount of donation is appreciated and will be used entirely to enhance the chapter meetings:

funds to OWASP earmarked for Birmingham UK.

Sponsors

Many thanks to our first silver sponsor, Hedgehog Security

Hedgehogsec.jpg






[edit]

Date

30th August at 18:30

Location

Birmingham Science Park Faraday Wharf, Holt Street, Birmingham, B7 4BB, UK

Tickets

Tickets at eventbrite

Talks

SC magazine rising star award winner David Rook will be back in Birmingham to give this months first talk.

Windows Phone 7 platform and application security overview

Windows Phone 7 is the latest mobile operating system from Microsoft and is the youngest of all the major smartphone operating systems. Since it was released in late 2010 it has gained a small share of the smartphone market but this is likely to increase significantly with Nokia now using it as the OS for their flagship models.

The young age of the OS and the small market share size means there has been very little security research carried out against this platform so far. This means that developers and security professionals are working with this platform without a detailed understanding of the security features and potential shortcomings.

Security should be part of the DNA of any application which stores or transmits sensitive data but how many of the developers with published applications understand common mobile application security vulnerabilities and more importantly how many know how to prevent them in their own applications?

This presentation will detail the security features of Windows Phone 7 with an emphasis on how developers can produce Windows Phone 7 apps that are free from common mobile application security vulnerabilities.

This talk will start by looking at why we should care about mobile security, what the implications are for developers and security professionals and how mobile manufacturers and network operators are now a big part of your threat models and how their approach to security could undermine your application security efforts.

I will then focus on the security model and features of Windows Phone 7 and how these features compare to those found in the iOS and Android operating systems.

The final part of this talk will focus on the types of vulnerabilities seen in mobile applications over the past few years and how developers can ensure their Windows Phone 7 apps are free from these vulnerabilities. This will include reviews of insecure and secure code samples from real world applications.

This talk will arm developers and security professionals with an understanding of the Windows Phone 7 security features and the guidance they need to produce secure Windows Phone 7 apps.

This talk will include demonstrations of Windows Phone 7 security tools that I'm developing such as the Windows Phone App Analyser.

David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja.

The Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft and the SC Magazine Rising Star 2012. David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser.


Jamie Riden will be giving a short talk on web application honeypots, from history to current work and how they can be of use in researching current techniques of attackers, and in protecting web servers from exploitation even in the face of programming failures.

The talk will include a live demo of a honeypot

Jamie is a published security researcher, specifically in the field of honeypots. He is an active member of the Honeynet Project, having helped set up the current incarnation of the Project's web server, and has supervised students for various honeypot-related projects for the Google Summer of Code.

He has published several articles on the subject of honeypots, intrusion detection and incident response. He has contributed signatures to the community Snort signature project, http://www.emergingthreats.net/ and has written portions of code for the open source IDS, Suricata

Participate

If you'd like to present at one of our meetings then don't forget to fill in the speaker form


August 30th 2012 Venue:Birmingham Science Park

December 2012 Venue:TBC