Difference between revisions of "EUTour2013 Cambridge Agenda"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:EUTour2013 header}}</noinclude> {|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing=...")
 
m (Regsitration Details Added Again)
 
(13 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
|-
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''TALLERES Y CONFERENCIAS'''  
+
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''CONFERENCE AND TRAINING'''  
 
|-
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |  
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |  
== '''OWASP Latam Tour - Lima 2013''' ==  
+
== '''OWASP Europe Tour - Cambridge 2013''' ==  
'''Lunes 25 de Marzo''' ''(Talleres)'' <br>'''Martes 26 de Marzo''' ''(Conferencia)''
+
'''Monday 13th May''' ''(Conference)'' <br>
 
|-
 
|-
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''Descripcion y Objetivo'''
+
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
|-
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | '''OWASP LATAM TOUR,''' es una gira por Latino América que promueve la seguridad en aplicaciones web en diversas instituciones, como: universidades, organismos gubernamentales, empresas de TI y entidades financieras, buscando crear conciencia sobre la seguridad en las aplicaciones y puedan tomar decisiones informadas sobre los verdaderos riesgos de seguridad.
+
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | '''OWASP Europe TOUR,''' is an event across the European region that promotes  awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
  
*Aparte del OWASP Top 10, la mayoría de los [[:Category:OWASP_Project|Proyectos OWASP]] no son ampliamente utilizados en los ambientes corporativos. En la mayoría de los casos esto no es debido a una falta de calidad en los proyectos o la documentación disponible, sino mas bien por desconocer donde se ubicaran en un Ecosistema de Seguridad de Aplicaciones empresarial.
+
*Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
  
* Este evento tiene como objetivo cambiar esta situación proporcionando una explicación sobre algunos de los proyectos OWASP mas maduros y listos para ser utilizados en el ámbito empresarial.  
+
* This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
 
|-
 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Promociones'''
+
| align="center" style="background:#CCCCEE;" colspan="2" | '''OWASP MEMBERSHIP'''
 
|-
 
|-
| valign="left" height="80" bgcolor="#EEEEEE" align="center" colspan="2" | OFERTA ESPECIAL - Durante todo el OWASP Latam Tour el costo de la membresía anual es de solamente U$D 20. Utilice el código de descuento "LATAM" durante el proceso de registro electrónico como miembro individual en el enlace disponible a continuación.<br>
+
| valign="left" height="80" bgcolor="#EEEEEE" align="center" colspan="2" | During the OWASP Europe Tour you could become a member and support our mission.<br>
[https://www.cvent.com/Events/ContactPortal/Login.aspx?cwstub=15bbcfd1-f49b-4636-ba4e-c9ce70a265e5 Hágase MIEMBRO DE OWASP AQUÍ] <br>
+
[https://www.cvent.com/Events/ContactPortal/Login.aspx?cwstub=15bbcfd1-f49b-4636-ba4e-c9ce70a265e5 Become an OWASP member by clicking here] <br>
'''Si usted aun no es miembro OWASP, por favor considere unirse a nuestra organización.'''
+
 
|}
 
|}
 
<br>
 
<br>
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" style="background:#4B0082;" colspan="2" | <span style="color:#ffffff"> '''TALLERES (Lunes 25)'''</span>
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Fecha'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Lugar'''
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Lunes 25 de Marzo '''
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Escuela de Postgrado - Universidad Tecnológica del Perú (UTP)<br>
 
Av. Salaverry 2443 - San Isidro (A una cuadra del Hotel Meliá) Laboratorios  – 3er piso'''<br>
 
Ver Mapa [http://g.co/maps/ajq42 Google Maps]
 
|-
 
| align="center" style="background:#CCCCEE;" colspan="2" | '''Precio y Registro'''
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2" | Durante todo el OWASP LatamTour se estarán realizando talleres de capacitación dictados por destacados profesionales en la materia.<br> Para este '''Lunes 25 de Marzo''', en Perú, se llevaran a cabo los siguientes talleres :<br>
 
''* Taller de Análisis de malware: Métodos y técnicas - Pablo Ramos (Argentina)<br>''
 
''* Taller Practico de Seguridad Web - Jaime Andrés Restrepo Gomez (Colombia)<br>''
 
''* Taller Desarrollo Seguro usando OWASP ESAPI - Fabio Cerullo (Irlanda)<br>''
 
  
Para consultar sobre el detalle de los talleres, horarios, costos y cupos disponibles en su ciudad revise el siguiente Link : <br>
 
'''[https://www.owasp.org/index.php/LatamTour2013#Training TALLERES - CLICK AQUÍ]'''
 
<br>https://www.owasp.org/index.php/LatamTour2013_Training <br>.
 
|}<br>
 
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
|-
 
| align="center" style="background:#4B0082;" colspan="2" | <span style="color:#ffffff">  
 
| align="center" style="background:#4B0082;" colspan="2" | <span style="color:#ffffff">  
'''CONFERENCIAS (Martes 26)''' </span>
+
'''CONFERENCE (Monday 13th May)''' </span>
 
|-
 
|-
 
|-
 
|-
Line 56: Line 33:
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Lugar'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Lugar'''
 
|-
 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Martes 26 de Marzo '''
+
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Monday 13th May '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Escuela de Postgrado - Universidad Tecnológica del Perú (UTP)<br>
+
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Anglia Ruskin University (Cambridge) - Lord Ashcroft Building - Room LAB002<br>
Av. Salaverry 2443 - San Isidro (A una cuadra del Hotel Meliá) Auditorio – 3er piso'''<br>
+
Venue Address: East Road, Cambridge, CB1 1PT'''<br>
Ver Mapa [http://g.co/maps/ajq42 Google Maps]  
+
Venue Map: [http://www.anglia.ac.uk/ruskin/en/home/your_university/anglia_ruskin_campuses/cambridge_campus/find_cambridge.html Anglia Ruskin University - Getting to Cambridge]  
 
|-
 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Precio y Registro'''
+
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
 
|-
 
|-
| align="center" style="background:#EEEEEE;" colspan="2" | El ingreso al evento es '''GRATUITO''' - El proceso de registro lo podrá ubicar en el siguiente link <br>
+
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''' <br>
  '''Link de Registro al OWASP LATAM TOUR 2013''': [https://www.regonline.com/latamtour13LIMconference REGÍSTRESE AQUÍ!]'''<br>
+
  '''Registration Link to the Europe Tour''': [https://www.surveymonkey.com/s/OWASP-Tour-May2013 OWASP Cambridge Chapter Registration]'''<br>
De requerir estacionamientos, se les solicita comunicarlo vía email a owasp.peru@gmail.com, contamos con un cupo limitado de espacios.
+
 
<br>
 
<br>
Durante el evento se sortearan algunos obsequios y cursos brindados por nuestros sponsors.
 
|-
 
 
|}  
 
|}  
 
<br>
 
<br>
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | '''DETALLES DE LA CONFERENCIA (Martes 26) '''
+
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | '''Conference Details '''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" |  '''Horario'''  
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" |  '''Time'''  
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Tema'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Ponente'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Información de la Charla'''
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 09:00 am<br>(30 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:00 <br>(0 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registro del Evento
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Registration
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
+
|-
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 09:30 am <br>(10 mins)  
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Apertura del Evento'''
+
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''César Ferradas Zegarra (Perú)'''<br>Decano de la Escuela de Postgrado de la Universidad Tecnológica del Perú (UTP)<br>'''John Vargas (Perú)'''<br>Chapter Leader OWASP Perú<br>
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 am<br>(45 mins)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 <br>(0 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Del USB a la web:<br>¿Cómo tu sitio propaga malware?'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction & Welcome
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Pablo Ramos (Argentina)''' <br> Security Researcher para ESET Latinoamérica
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Adrian Winckles - OWASP Cambridge Chapter Leader & Senior Lecturer
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | El malware no ha dejado de ser, a pesar de su antigüedad, la amenaza masiva que más afecta a usuarios y empresas de todo el mundo. Conocer en profundidad su funcionamiento es una forma de comprender por qué el malware posee tanta efectividad y, a la vez, permite pensar en medidas de protección, prevención y mitigación ante las infecciones tanto en entornos personales, como en redes corporativas.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to OWASP & Anglia Ruskin University
 +
Schedule for the Day
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:15AM <br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 <br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Desarrollo Seguro usando OWASP''' - 
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Real Costs of Cybercrime
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Fabio Cerullo (Argentina)'''<br>Chapter Leader OWASP Ireland<br>OWASP Global Education Committee<br>CEO & Founder en Cycubix
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Ross Anderson (Cambridge University)
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Following a systematic study of the costs of cybercrime, in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem, each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs { both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now `cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims
 +
directly.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:00 am<br>(25 mins)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:45 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Zed Attack Proxy (ZAP)'''  <br> Sesión Remota
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Three Legged Cybercrime Investigation and its Implications
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Simon Bennetts (United Kingdom)''' <br> OWASP Manchester UK Chapter Leader<br>Security Automation Engineer en Mozilla<br>ZAP Project Leader
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DI Stewart Garrick (Metropolitan Police ECrime Unit)
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Explicación de forma de uso de ZAPProxy.<br> Rueda de Preguntas con el creador y lider del Proyecto ZAP
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DI Stewart Garrick has over 27 years experience in the Metropolitan Police Service, 22 years as a detective and 10 years as a Detective Inspector. His career has been spent primarily on major crime units engaged on both proactive and reactive investigations, including 5 years investigating murders, 3 years on the Homicide Task Force (a proactive unit targeting those who would commit murder) and 5 years managing covert operations against organised crime. In March 2011 he joined Scotland Yard's Police Central eCrime Unit. He has witnessed the PCeU's growth from 40 officers to over 100 and has managed several high profile investigations. He has recently taken charge of the unit's cadre of police and civilian forensic examiners who are integrated into the unit's dynamic investigative model. He has this year completed an MSc in Countering Organised Crime and Terrorism at UCL, with a dissertation examining the emergence of radicalising settings based on Situational Action Theory.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 11:25 am<br>(15 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | COFFEE BREAK
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Mobile Top 10
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | COFFEE BREAK
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Justin Clarke - London OWASP Chapter Leader
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | COFFEE BREAK
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
 +
 
 +
As part of the overall Mobile Project  , the Top 10 Mobile Risks include
 +
 
 +
M1: Insecure Data Storage
 +
M2: Weak Server Side Controls
 +
M3: Insufficient Transport Layer Protection
 +
M4: Client Side Injection
 +
M5: Poor Authorization and Authentication
 +
M6: Improper Session Handling
 +
M7: Security Decisions Via Untrusted Inputs
 +
M8: Side Channel Data Leakage
 +
M9: Broken Cryptography
 +
M10: Sensitive Information Disclosure
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:40 m<br>(40 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:15 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''WATIQAY : Monitoring Web applications'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Refreshments & Networking
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Carlos Ganoza Plasencia (Perú)''' <br> OWASP Watiqay Project Leader<br> Estudiante de Ing. Informática.
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | LAB107
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Se publicara el código fuente de la última versión, explicando las nuevas características que se han implementado en WATIQAY ( www.watiqay.org),  los cambios realizados y el roadmap de la herramienta. De la misma forma se harán demostraciones sobre su implementación y uso para una toma de decisiones ágil ante un incidente de seguridad.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:20 m<br>(40 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:00 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Análisis de Riesgos en las Aplicaciones Web'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Everything We Know is Wrong
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Diego Pullas (Ecuador)''' <br>Chapter Leader OWASP Ecuador
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Eoin Keary - OWASP Global Committee
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | La charla iniciara con una definición de activos organizacionales, el manejo de información  asimismo se analizara la estrategia de empresa, la estrategia de tecnología y la definición de métricas para la organización, apuntando a un entorno seguro que tenga cabida dentro de  un plan de gestión de seguridad de la información permitiéndonos identificar el retorno de retorno inversión.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today.
Se realizaran ejemplos de cálculos con cuestionarios en análisis de impacto al negocio, formularios de riesgo apoyándose en diversas herramientas. Por ejemplo: Documentos BIA, Risk analysis, etc.
+
 
 +
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
 +
 
 +
We continue to rely on a “pentest” to secure our applications.  
 +
Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?
 +
Our testing methodologies are non-consistent and rely on the individual and the tools they use.  
 +
Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?
 +
 
 +
Why are we still happy with “Testing security out” rather than the more superior “building security in”?
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:00 pm<br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:45 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Xssing BigOnes with DomKingKong'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Tricolour Alphanumercial Spaghetti
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Camilo Galdos A. (Perú)'''<br>Security Researcher <br> http://SeguridadBlanca.Com
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Colin Watson - OWASP Project Leader
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Durante la charla se mostraran las diversas técnicas para encontrar rápidamente vulnerabilidades del tipo XSS, puntualmente XSS reflejados y XSS de tipo 0 (Dom Xss).Asimismo se presentara la herramienta DomKingKong, especialmente desarrollada para agilizar las labores del Pentester durante la búsqueda de este tipo de vulnerabilidades.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Do you know your "A, B, Cs" from your "1, 2, 3s"?
 +
 
 +
Is "red" much worse than "orange", and why is "yellow" used instead of "green"?
 +
 
 +
Just what is a "critical" vulnerability? Is "critical" the same as "very high"?
 +
 
 +
How do PCI DSS "level 4 and 5" security scanning vulnerabilities relate to application weaknesses?
 +
 
 +
Does a "tick" mean you passed? Are you using CWE and CVSS? Is a "medium" network vulnerability as dangerous as a "medium" application vulnerability? Can CWSS help?
 +
 
 +
What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is "one" vulnerability?
 +
 
 +
Are you drowning in a mess of unrelated, classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings more meaningfully, or receive test reports and want to better understand the results, or are just new to ranking weaknesses/vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only ("grey" or "blue"?) findings might contain some of the best value information.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 01:45 pm<br>(45 min)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:30 <br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Pentesting en la era POST-PC'''
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Coding, some simple steps help.
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | '''Jaime Andrés Restrepo (Colombia)''' <br> Comunidad DragonJAR - http://www.DragonJAR.org
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Steven van der Baan - OWASP Cambridge
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Los computadores de escritorio y portátiles día a día se ven mas desplazados por los teléfonos inteligentes, las tablets y los dispositivos portables, marcando el comienzo de lo que algunos denominan la era post pc. En esta charla veremos como la seguridad informática se adapta a esta tendencia y como los pentesters podemos utilizar nuevas herramientas de hardware para facilitar nuestro trabajo sin depender exclusivamente de un monitor y un teclado
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure coding is often perceived as difficult and complex.
 +
While it is true that 'good security' should be embedded into the design, there are a couple of steps a developer can take which lead to a
 +
more secure application.
 +
In this presentation we will go to the basics of secure application
 +
development and demonstrate these principles which help you build security into your application.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 14:30 pm<br>(10min)
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Cierre del evento
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Cierre del evento
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Perú
 
 
|}
 
|}

Latest revision as of 09:08, 10 May 2013

Eu tour1.png

OWASP EUROPE TOUR 2013

Tour Home Page
Tour Scheadule
Tour Organizers Resources
Mailing List

CONFERENCE AND TRAINING

OWASP Europe Tour - Cambridge 2013

Monday 13th May (Conference)

DESCRIPTION
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
  • Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
  • This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
OWASP MEMBERSHIP
During the OWASP Europe Tour you could become a member and support our mission.

Become an OWASP member by clicking here


CONFERENCE (Monday 13th May)

Fecha Lugar
Monday 13th May Venue Location: Anglia Ruskin University (Cambridge) - Lord Ashcroft Building - Room LAB002

Venue Address: East Road, Cambridge, CB1 1PT
Venue Map: Anglia Ruskin University - Getting to Cambridge

Price and registration
This event is FREE
Registration Link to the Europe Tour: OWASP Cambridge Chapter Registration



Conference Details
Time Title Speaker Description
11:00
(0 mins)
Registration
11:45
(0 mins)
Introduction & Welcome Adrian Winckles - OWASP Cambridge Chapter Leader & Senior Lecturer Introduction to OWASP & Anglia Ruskin University

Schedule for the Day

12:00
(45 mins)
Real Costs of Cybercrime Ross Anderson (Cambridge University) Following a systematic study of the costs of cybercrime, in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem, each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs { both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now `cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims

directly.

12:45
(45 mins)
Three Legged Cybercrime Investigation and its Implications DI Stewart Garrick (Metropolitan Police ECrime Unit) DI Stewart Garrick has over 27 years experience in the Metropolitan Police Service, 22 years as a detective and 10 years as a Detective Inspector. His career has been spent primarily on major crime units engaged on both proactive and reactive investigations, including 5 years investigating murders, 3 years on the Homicide Task Force (a proactive unit targeting those who would commit murder) and 5 years managing covert operations against organised crime. In March 2011 he joined Scotland Yard's Police Central eCrime Unit. He has witnessed the PCeU's growth from 40 officers to over 100 and has managed several high profile investigations. He has recently taken charge of the unit's cadre of police and civilian forensic examiners who are integrated into the unit's dynamic investigative model. He has this year completed an MSc in Countering Organised Crime and Terrorism at UCL, with a dissertation examining the emergence of radicalising settings based on Situational Action Theory.
13:30
(45 mins)
OWASP Mobile Top 10 Justin Clarke - London OWASP Chapter Leader The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

As part of the overall Mobile Project , the Top 10 Mobile Risks include

M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure

14:15
(45 mins)
Refreshments & Networking LAB107
15:00
(45 mins)
Everything We Know is Wrong Eoin Keary - OWASP Global Committee The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today.

"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein

We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? Our testing methodologies are non-consistent and rely on the individual and the tools they use. Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?

Why are we still happy with “Testing security out” rather than the more superior “building security in”?

15:45
(45 mins)
Tricolour Alphanumercial Spaghetti Colin Watson - OWASP Project Leader Do you know your "A, B, Cs" from your "1, 2, 3s"?

Is "red" much worse than "orange", and why is "yellow" used instead of "green"?

Just what is a "critical" vulnerability? Is "critical" the same as "very high"?

How do PCI DSS "level 4 and 5" security scanning vulnerabilities relate to application weaknesses?

Does a "tick" mean you passed? Are you using CWE and CVSS? Is a "medium" network vulnerability as dangerous as a "medium" application vulnerability? Can CWSS help?

What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is "one" vulnerability?

Are you drowning in a mess of unrelated, classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings more meaningfully, or receive test reports and want to better understand the results, or are just new to ranking weaknesses/vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only ("grey" or "blue"?) findings might contain some of the best value information.

16:30
(45 mins)
Secure Coding, some simple steps help. Steven van der Baan - OWASP Cambridge Secure coding is often perceived as difficult and complex.

While it is true that 'good security' should be embedded into the design, there are a couple of steps a developer can take which lead to a more secure application. In this presentation we will go to the basics of secure application development and demonstrate these principles which help you build security into your application.