Difference between revisions of "Cambridge"

From OWASP
Jump to: navigation, search
m
(Added 1st speaker slides for 4th April - Leum Dunn)
 
(69 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Cambridge|extra=The chapter leader is [mailto:Adrian.Winckles@owasp.org Adrian Winckles ].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Cambridge|emailarchives=http://lists.owasp.org/pipermail/owasp-Cambridge}}
+
{{Chapter Template|chaptername=Cambridge|extra=The chapter leaders are [mailto:Adrian.Winckles@owasp.org Adrian Winckles ]  and [mailto:Steven.van.der.Baan@owasp.org Steven van der Baan].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Cambridge|emailarchives=http://lists.owasp.org/pipermail/owasp-Cambridge}}
  
== Local News ==
+
<!-- first tab -->
 +
= Local News =
 +
==='''Local News'''===
  
'''Meeting Location'''
+
'''OWASP Cambridge Chapter “Goats, Droids and Software Chains” Seminar'''
  
Everyone is welcome to join us at our chapter meetings.
+
Tuesday 4th April 2017 17:30 – 20:30, Lord Ashcroft Building (LAB003), Anglia Ruskin University, Cambridge.
  
[[Category:OWASP Chapter]]
+
Hosted by the Department of Computing & Technology, Anglia Ruskin University & OWASP (Open Web Application Security Project) Cambridge Chapter
[[Category:United Kingdom]]
+
 
 +
Buffet & Refreshments kindly sponsored by Sonatype.
 +
 
 +
'''Präsentation'''
 +
 
 +
'''Guest speaker: Bruce Mayhew, OWASP Webgoat Project Leader & Director of Security Research, Sonatype.''' 
 +
 
 +
'''Biography - Bruce Mayhew'''
 +
 
 +
Bruce is the OWASP Project Lead for Webgoat, one of the authors of the SANS GIAC Java Security Certification Exam, and is Director of Security Research and Development at Sonatype with over 20 years of software development experience, 13 years of which have been focused on application security. He has performed code-level security assessments for hundreds of applications, created application security programs and training curriculums for large institutions, and has been a Web Application Security Course instructor for the SANS Institute. Previous roles include IBM with a focus on Static Analysis following the acquisition of Ounce Labs where he was Director for Advanced Security Research.
 +
 
 +
'''Abstract – “Webgoat”'''
 +
 
 +
In Depth Technical overview of OWASP WebGoat, a deliberately insecure web application designed to teach web application security and provide an understanding of security issues by exploiting real vulnerabilities, including Open Source libraries - the project started 10 years ago and has had over 1,000,000 downloads. There are currently over 30 lessons, including those dealing with issues such as Cross-site Scripting (XSS), Access Control, Thread Safety, Hidden Form Field Manipulation, Parameter Manipulation, Weak Session Cookies, Blind SQL Injection, Numeric SQL Injection, String SQL Injection, Web Services and Fail Open Authentication.
 +
 
 +
'''Guest Speaker:  Leum Dunn CISSP C|EH CISMP MBCS, Redacted'''
 +
 
 +
'''Biography:''' Leum Dunn
 +
 
 +
Leum specialises in endpoint security and works for REDACTED in the East of England.
 +
 
 +
'''Abstract: “A day in the life of a script kiddie – pwning Android for the lulz”'''
 +
 
 +
This informal talk aims to demonstrate the sort of access an attacker of only modest skill could get to an Android device. Useful to anyone with an interest in security or who is considering a BYOD policy for their company. Very little technical knowledge is required and Leum encourages questions throughout.
 +
 
 +
'''Guest Speaker: Brian Fox, Chief Technical Officer, Sonatype'''
 +
 
 +
'''Biography: Brian Fox'''
 +
 
 +
Brian is Chief Technical Officer at Sonatype. He has extensive open source experience as a member of the Apache Software Foundation and former Chair of the Apache Maven project. Brian was a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organisations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.
 +
 
 +
'''Abstract – “Secure Supply Chains”'''
 +
 
 +
Today, more and more open source is consumed by developers. We saw last week when Apache disclosed the latest Struts2 vulnerability with a CVSS score of 9.8, that we need to ensure that we are consuming secure open source libraries in our software development processes - we should treat it as a supply chain. We studied the patterns and practices exhibited by 3,000 high-performance software development organisations, teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. This session aims to enlighten application security and development professionals by sharing results from the State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis, specifically:
 +
 
 +
·      What our analysis of 25,000 applications reveals about the quality and security of software built with open source components?
 +
 
 +
·      How organizations like Exxon, Capital One and Intuit are utilising the principles of software supply chain automation to improve application security?
 +
 
 +
·      Why avoiding open source components over 3 years old might be a really good idea?
 +
 
 +
·      How to balance the need for speed with quality and security -- early in the development lifecycle?
 +
 
 +
Also listen to Brian talk about the struts 2 vulnerability announcement, how you can determine if you're affected, what you can do about it and how a secure supply chain would mitigate the risk.
 +
 
 +
'''Background'''
 +
 
 +
OWASP (Open Web Application Security Project is a 501(c)(3) not-for-profit worldwide charitable organisation focused on improving the security of application software. Their mission is to make application security visible, so that people and organisations can make informed decisions about true application security risks.
 +
 
 +
The Department of Computing & Technology at Anglia Ruskin University is enhancing its curricula and capabilities in information security following its successful BSc(Hons) Information Security and Forensic Computing pathway. Establishing a joint professional networking group with OWASP concentrating on aspects of computing and application security is a key part of this enhancement. A key aim the department is working towards is developing a MSc Information Security specialising in Application Security and as part of this activity looking to develop and a local Information Security Student Society.
 +
 
 +
'''Agenda'''
 +
 
 +
17:30 – 17:45 Welcome from the OWASP Cambridge Chapter Leader, Adrian Winckles, Course Leader in Information Security & Forensic Computing, Anglia Ruskin University
 +
 
 +
17:45 - 18:30 Talk from Bruce Mayhew, Sonatype & OWASP Project Leader “Webgoat"
 +
 
 +
18:30 - 19:15 Talk from Leum Dunn, Redacted, “A day in the life of a script kiddie – pwning Android for the lulz”
 +
 
 +
19:15 – 20:00 Talk from Brian Fox, Sonatype, “'''Secure Supply Chains”'''
 +
 
 +
20:00 – 20:30 Refreshments & Networking in LAB006 (Kindly sponsored by Sonatype)
 +
 
 +
'''Registration'''
 +
 
 +
To register for this free event, please register online at
 +
 
 +
<nowiki>https://www.eventbrite.com/e/owasp-cambridge-chapter-goats-droids-and-software-chains-seminar-tickets-32973431421</nowiki>
 +
 
 +
The meeting will be held in the Lord Ashcroft Building, Room LAB003 (Breakout Room LAB006 for networking & refreshments).
 +
 
 +
Please enter through the Helmore Building and ask at reception.
 +
 
 +
Anglia Ruskin University, Cambridge Campus
 +
 
 +
East Road
 +
 
 +
Cambridge CB1 1PT
 +
 
 +
Get further information on travelling to the university.
 +
 
 +
<nowiki>http://www.anglia.ac.uk/ruskin/en/home/your_university/anglia_ruskin_campuses/ca</nowiki> mbridge_campus/find_cambridge.html
 +
----
 +
'''Planned dates for upcoming events'''
 +
 
 +
 
 +
Thursday 19th January 2017
 +
 
 +
Wednesday 25th January 2017
 +
 
 +
Tuesday 7th February 2017
 +
 
 +
Tuesday 7th March 2017
 +
 
 +
Tuesday 4th April 2017
 +
<!-- second tab -->
 +
 
 +
= Past Events =
 +
{| class="wikitable" style="text-align:center;" border="1" |
 +
! width="300" | Date
 +
! width="350" | Name / Title
 +
! width="300" | Link
 +
|-
 +
| 4 April 2017
 +
| Leum Dunn - Redacted
 +
| [[Media:A day in the life of.pdf|presentation]]
 +
|--
 +
| 7 March 2017
 +
| Andrew Thompson - Checkmarx
 +
| [[Media:OWASP Cambridge - Checkmarx Software AppSec kit.pdf|presentation]]
 +
|--
 +
| 7 March 2017
 +
| John Haine IoT Security Foundation (Chair)
 +
| [[Media:Ambassador_IoTSF_Feb_2017_Intro_jlh.pdf|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Nick Alston CBE / PIER Chair
 +
| [[Media:Cyber session.pptx|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Mark Pearce/ 7Safe/PA Consulting
 +
| [[Media:PA GDPR 25 JANUARY 2017.pdf|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Martin Cassey / Nascenta
 +
| [[Media:2017-01-25,GDPR Readiness-Handout.pdf|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Paul Rowley FBCS / Havebury Housing Association
 +
| [[Media:OWASP event 250117 Paul Rowley pres.pptx|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Laurence Kaleman / Legal Director, Olswang
 +
| [[Media:Olswang slides - GDPR and NIS Directive - accountability security and trust - 25 Jan 2017.pdf|presentation]]
 +
|-
 +
| 25 Jan 2017
 +
| Tony Drewitt / Head of Consultancy - IT Governance
 +
| [[Media:ITGGDPRNIS20170125v0.1.pdf|presentation]]
 +
|-
 +
| 19 Jan 2017
 +
| Tony Drewitt / Head of Consultancy - IT Governance
 +
| [[Media:ITG_IncidentResponse_20170119.pdf|presentation]]
 +
|-
 +
| 19 Jan 2017
 +
| Peter Yapp / NCSC Deputy Director - Incident Response
 +
| [[Media:NCSC slides.pdf|presentation]]
 +
|-
 +
| 19 Jan 2017
 +
| Martin Cassey / Nascenta
 +
| [[Media:Nascenta-IM-handout.pdf|presentation]]
 +
|-
 +
| 10 Nov 2016
 +
| Graham Rymer /  University of Cambridge
 +
|
 +
|-
 +
| 10 Nov 2016
 +
| Mark Wickenden
 +
|
 +
|-
 +
| 12 05 2016
 +
| Phil Cobley / Modern Policing & the Fight Against Cyber Crime
 +
| [[Media:Cyber_Threat_Presentation_-_ARU_Cyber_Resilience_-_May_2016.pdf|presentation]]
 +
|-
 +
| 12 05 2016
 +
| Jules Pagna Disso / Building a resilient ICS
 +
| [[MEdia:Building_a_resilient_ICS.pdf|presentation]]
 +
|-
 +
| 08 03 2016
 +
|  Andrew Lee-Thorp / So you want to use a WebView? Android WebView: Attack and Defence
 +
|
 +
|-
 +
| 10 11 2015
 +
| Steve Lord / Trying (and failing) to secure the Internet of Things
 +
|
 +
|-
 +
|
 +
| John Mersh / Software and System Security: a life vest in the IoT ocean
 +
|
 +
|-
 +
| 10 Oct 2015
 +
| Sumit "sid" Siddharth / Some neat, new and ridiculous hacks from our vault
 +
|
 +
|-
 +
| 10 Feb 2015
 +
| Steven van der Baan / Web Application Security Testing with Burp Suite
 +
|
 +
|-
 +
|  2 December 2014
 +
| Colin Watson / OWASP Cornucopia
 +
|
 +
|-
 +
| 21 October 2014
 +
| Eireann Leverett
 +
| [[Media:20141021-Eireann_Leverett-SwitchesGetStitches.pdf|presentation]]
 +
|-
 +
| 1st April 2014
 +
| Ian Glover (CREST) / Overview of the CREST activities to professionalise the industry.
 +
|
 +
|-
 +
|
 +
|  Yiannis Chrysanthou (KPMG) / Modern Password Cracking
 +
|
 +
|-
 +
|
 +
| Damien King (KPMG) / Filename Enumeration with TildeTool
 +
|
 +
|-
 +
| 12th November 2013
 +
| Paul Cain / Tracking Data using Forensics
 +
|
 +
|-
 +
| 12th November 2013
 +
| James Forshaw/ The Forger's Art: Exploiting XML Digital Signature Implementations
 +
| [[Media:20131112-James_Forshaw-the_forgers_art-james_forshaw-breakpoint2k13.pdf|presentation]]
 +
|-
 +
| 5th March 2013
 +
| Sarantis Makoudis / Android (in)Security
 +
| [[Media:20130305-sarantis.pdf|presentation]]
 +
|-
 +
| 5th March 2013
 +
| Nikhil Sreekumar / Power On, Powershell
 +
| [http://www.slideshare.net/Roo7break/power-on-powershell presentation]
 +
|}
 +
 
 +
<!-- Don't remove this tag -->
 +
__NOTOC__
 +
<headertabs></headertabs>

Latest revision as of 03:32, 24 April 2017

OWASP Cambridge

Welcome to the Cambridge chapter homepage. The chapter leaders are Adrian Winckles and Steven van der Baan.
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.


Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

OWASP Cambridge Chapter “Goats, Droids and Software Chains” Seminar

Tuesday 4th April 2017 17:30 – 20:30, Lord Ashcroft Building (LAB003), Anglia Ruskin University, Cambridge.

Hosted by the Department of Computing & Technology, Anglia Ruskin University & OWASP (Open Web Application Security Project) Cambridge Chapter

Buffet & Refreshments kindly sponsored by Sonatype.

Präsentation

Guest speaker: Bruce Mayhew, OWASP Webgoat Project Leader & Director of Security Research, Sonatype. 

Biography - Bruce Mayhew

Bruce is the OWASP Project Lead for Webgoat, one of the authors of the SANS GIAC Java Security Certification Exam, and is Director of Security Research and Development at Sonatype with over 20 years of software development experience, 13 years of which have been focused on application security. He has performed code-level security assessments for hundreds of applications, created application security programs and training curriculums for large institutions, and has been a Web Application Security Course instructor for the SANS Institute. Previous roles include IBM with a focus on Static Analysis following the acquisition of Ounce Labs where he was Director for Advanced Security Research.

Abstract – “Webgoat”

In Depth Technical overview of OWASP WebGoat, a deliberately insecure web application designed to teach web application security and provide an understanding of security issues by exploiting real vulnerabilities, including Open Source libraries - the project started 10 years ago and has had over 1,000,000 downloads. There are currently over 30 lessons, including those dealing with issues such as Cross-site Scripting (XSS), Access Control, Thread Safety, Hidden Form Field Manipulation, Parameter Manipulation, Weak Session Cookies, Blind SQL Injection, Numeric SQL Injection, String SQL Injection, Web Services and Fail Open Authentication.

Guest Speaker:  Leum Dunn CISSP C|EH CISMP MBCS, Redacted

Biography: Leum Dunn

Leum specialises in endpoint security and works for REDACTED in the East of England.

Abstract: “A day in the life of a script kiddie – pwning Android for the lulz”

This informal talk aims to demonstrate the sort of access an attacker of only modest skill could get to an Android device. Useful to anyone with an interest in security or who is considering a BYOD policy for their company. Very little technical knowledge is required and Leum encourages questions throughout.

Guest Speaker: Brian Fox, Chief Technical Officer, Sonatype

Biography: Brian Fox

Brian is Chief Technical Officer at Sonatype. He has extensive open source experience as a member of the Apache Software Foundation and former Chair of the Apache Maven project. Brian was a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin. He has over 15 years of experience driving the vision behind, as well as developing and leading the development of software for organisations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

Abstract – “Secure Supply Chains”

Today, more and more open source is consumed by developers. We saw last week when Apache disclosed the latest Struts2 vulnerability with a CVSS score of 9.8, that we need to ensure that we are consuming secure open source libraries in our software development processes - we should treat it as a supply chain. We studied the patterns and practices exhibited by 3,000 high-performance software development organisations, teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. This session aims to enlighten application security and development professionals by sharing results from the State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis, specifically:

·      What our analysis of 25,000 applications reveals about the quality and security of software built with open source components?

·      How organizations like Exxon, Capital One and Intuit are utilising the principles of software supply chain automation to improve application security?

·      Why avoiding open source components over 3 years old might be a really good idea?

·      How to balance the need for speed with quality and security -- early in the development lifecycle?

Also listen to Brian talk about the struts 2 vulnerability announcement, how you can determine if you're affected, what you can do about it and how a secure supply chain would mitigate the risk.

Background

OWASP (Open Web Application Security Project is a 501(c)(3) not-for-profit worldwide charitable organisation focused on improving the security of application software. Their mission is to make application security visible, so that people and organisations can make informed decisions about true application security risks.

The Department of Computing & Technology at Anglia Ruskin University is enhancing its curricula and capabilities in information security following its successful BSc(Hons) Information Security and Forensic Computing pathway. Establishing a joint professional networking group with OWASP concentrating on aspects of computing and application security is a key part of this enhancement. A key aim the department is working towards is developing a MSc Information Security specialising in Application Security and as part of this activity looking to develop and a local Information Security Student Society.

Agenda

17:30 – 17:45 Welcome from the OWASP Cambridge Chapter Leader, Adrian Winckles, Course Leader in Information Security & Forensic Computing, Anglia Ruskin University

17:45 - 18:30 Talk from Bruce Mayhew, Sonatype & OWASP Project Leader “Webgoat"

18:30 - 19:15 Talk from Leum Dunn, Redacted, “A day in the life of a script kiddie – pwning Android for the lulz”

19:15 – 20:00 Talk from Brian Fox, Sonatype, “Secure Supply Chains”

20:00 – 20:30 Refreshments & Networking in LAB006 (Kindly sponsored by Sonatype)

Registration

To register for this free event, please register online at

https://www.eventbrite.com/e/owasp-cambridge-chapter-goats-droids-and-software-chains-seminar-tickets-32973431421

The meeting will be held in the Lord Ashcroft Building, Room LAB003 (Breakout Room LAB006 for networking & refreshments).

Please enter through the Helmore Building and ask at reception.

Anglia Ruskin University, Cambridge Campus

East Road

Cambridge CB1 1PT

Get further information on travelling to the university.

http://www.anglia.ac.uk/ruskin/en/home/your_university/anglia_ruskin_campuses/ca mbridge_campus/find_cambridge.html


Planned dates for upcoming events


Thursday 19th January 2017

Wednesday 25th January 2017

Tuesday 7th February 2017

Tuesday 7th March 2017

Tuesday 4th April 2017

Date Name / Title Link
4 April 2017 Leum Dunn - Redacted presentation
7 March 2017 Andrew Thompson - Checkmarx presentation
7 March 2017 John Haine IoT Security Foundation (Chair) presentation
25 Jan 2017 Nick Alston CBE / PIER Chair presentation
25 Jan 2017 Mark Pearce/ 7Safe/PA Consulting presentation
25 Jan 2017 Martin Cassey / Nascenta presentation
25 Jan 2017 Paul Rowley FBCS / Havebury Housing Association presentation
25 Jan 2017 Laurence Kaleman / Legal Director, Olswang presentation
25 Jan 2017 Tony Drewitt / Head of Consultancy - IT Governance presentation
19 Jan 2017 Tony Drewitt / Head of Consultancy - IT Governance presentation
19 Jan 2017 Peter Yapp / NCSC Deputy Director - Incident Response presentation
19 Jan 2017 Martin Cassey / Nascenta presentation
10 Nov 2016 Graham Rymer / University of Cambridge
10 Nov 2016 Mark Wickenden
12 05 2016 Phil Cobley / Modern Policing & the Fight Against Cyber Crime presentation
12 05 2016 Jules Pagna Disso / Building a resilient ICS presentation
08 03 2016 Andrew Lee-Thorp / So you want to use a WebView? Android WebView: Attack and Defence
10 11 2015 Steve Lord / Trying (and failing) to secure the Internet of Things
John Mersh / Software and System Security: a life vest in the IoT ocean
10 Oct 2015 Sumit "sid" Siddharth / Some neat, new and ridiculous hacks from our vault
10 Feb 2015 Steven van der Baan / Web Application Security Testing with Burp Suite
2 December 2014 Colin Watson / OWASP Cornucopia
21 October 2014 Eireann Leverett presentation
1st April 2014 Ian Glover (CREST) / Overview of the CREST activities to professionalise the industry.
Yiannis Chrysanthou (KPMG) / Modern Password Cracking
Damien King (KPMG) / Filename Enumeration with TildeTool
12th November 2013 Paul Cain / Tracking Data using Forensics
12th November 2013 James Forshaw/ The Forger's Art: Exploiting XML Digital Signature Implementations presentation
5th March 2013 Sarantis Makoudis / Android (in)Security presentation
5th March 2013 Nikhil Sreekumar / Power On, Powershell presentation