OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
Mumbai Celebrates OWASP Day : OWASP Live 0
This is the Day of Worldwide OWASP One Day Conferences
Date: 6th September ,2007
Timing: 2:30 PM to 6:00 PM
Venue: HOTEL HEAVENS INDIA
Plot No A-1, Opposite SDF 4, SEEPZ, SEZ, ANDHERI (E)- MUMBAI - 400 096.
Registrations - LIMITED SEATS !!!
The event is FREE to attend. If you are willing to attend, just send a mail with (Your Name, Your Organization, Designation & Contact Number) as details to dharmeshmm at mastek dot com to receive a confirmation.
Venue Entrance - GATE PASSES
- NOTE: The venue is inside SEZ (Special Economic Zone). Entry to SEZ is very restricted. The visitor can only enter via a company gate pass. The gate pass for the event will be provided on behalf of MASTEK LTD as organization. The gate passes will have to be collected from the SEEPZ SEZ Main Gate (Gate #1).
Any vehicle (Two wheeler or Four wheeler), Cameras, Video Recorders, Laptops / CD’s / DVD’s or any other form of Digital Media is NOT ALLOWED inside SEZ (venue). We are sorry for the inconvenience, but SEZ rules need to be strictly adhered to. The person distributing the gate passes will be Mr. Anil Raut – 9819355155.
Interested in Speaking at the event??
1. The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop)
2. All events are recommended to have the same panel discussion on the subject "What is the current state of Privacy on Web Application Security? and what should we be focusing on?").
3. Drop in a mail to dharmeshmm at mastek dot com to confirm your presentation.
Global Security Week (GSW)
For more details on the (GSW) see:
- http://www.globalsecurityweek.com/html/gsw_06.html (Resources)
And here is a description from one the organizers:
The aim of Global Security Week is to raise security awareness amongst the public and organizations about issues relating to security, primarily information security. This year's theme is on the subject of privacy and we hope that a number of events will be held worldwide to promote people's awareness as to how to protect their privacy when online and also educate companies on their responsibilities, both legal and morally, when it comes to protecting the privacy of their customers. Global Security Week is a totally voluntary initiative and we have no commercial funding or agenda. The initiative is funded entirely from the committee's own funds and time. We have people involved in Global Security Week throughout the world and during the week we have events planned in different regions. For example here in Ireland I plan to run a free seminar on the above topic open to anyone who wished to attend
We ask that those who wish to become involved, help promote Global Security Week in their region either by running specific events dedicated to Global Security Week, taking part in events already planned or simply making people aware that the week is on and the topic is "Privacy in the 21st Century". Even simply making people aware of Global Security Week and directing them to the website is a great help. Not having commercial funding we depend on word of mouth and like minded individuals to make people aware of the week.
Summary of OWASP Mumbai Chapter Meetings Held To-Date
Topics presented till date:
1. Secure coding fundamentals - Richard Lewis, Tech Mahindra
2. Threat Analysis and Modeling - Dharmesh Mehta, Mastek
3. 5 ways to lose your user's password - Shalini Gupta, Runa Dwibedi - Paladion Networks
4. Significance of Random Numbers in Application Security - Richard Lewis, Tech Mahindra
5. Defeating Java Decompilation - Girish Kulkarni, Tech Mahindra
6. /GS Security Check in Visual Studio - Chanda Dutta et al, Tech Mahindra
Roster of OWASP Speakers with Profiles
1. Anuradha Srinivasan, Technical Analyst with Mastek, is working with the Application Security Assurance Team for the last 6 months. She has 2.5 years of experience in Java development. She is currently involved in conducting Security Assessments and trainings for projects across Mastek.
2. Richard Lewis, Senior Security Consultant with Tech Mahindra, has 8 years of information security experience. Before joining Tech Mahindra, he worked for Tata Consultancy Services (TCS). Richard works in the e-security group of Tech Mahindra and is building a security fabric for secure software development. Richard has a programming background in C, C++, device drivers and MFC. Richard has led the development of two nation-level PKI deployments (India, UK). He has also led the development of a desktop encryptor, authentication SDK and cryptographic SDK. Richard is married, lives with his wife and daughter in busy Mumbai and loves to read the Bible and engage in church outreach work. Richard maintains a blog on application security at http://SecureApps.Blogspot.com
3. Dharmesh M Mehta, Technical Analyst with Mastek, has been with the Application Security Assurance Team for around 2 years. He is involved in conducting security assessments, threat modeling and conducting security workshops for the developer community. He is also a Certified | Ethical Hacker. Dharmesh is the Chapter Leader for OWASP, Mumbai Chapter. You can read Dharmesh's Blog on Smart Security at http://smartsecurity.blogspot.com
4. Shalini Gupta, Associate Security Consultant at Paladion. She completed her MPIT (Network Specialization) from SCIT in 2005. With Paladion she has an experience of more than 1.5 years in the application security field. Among her other contributions in the area of Application Security is a 2-part series on SSL that Shalini wrote for Palisade, the application security journal for developers.
5. Runa Dwibedi, Associate Consultant at Paladion. She is a certified BS7799 Lead Auditor. She completed her MCA from Bangalore University and also holds an MBA degree from SCDL, Pune. She has an experience of 1.5 years in development of security tools and an experience of 1 year in application security field. She is also actively involved in writing and publishing articles for Palisade.
6. Girish Kulkarni has 2.5 years of information security experience. Before joining Tech Mahindra, he was employed with Tata Consultancy Services (TCS). Girish currently works in the Enterprise DRM group as Technical Associate and is part of DRM product development team. Girish has a programming background in JAVA and is also proficient in JAVA swing. He has been involved in a very large PKI deployment for the Indian government.
7. Chanda Dutta, Divya Makhija, Sugita Kumari, Upma Sharma – Trainees pursuing PGDM-Software Development and Management from Symbiosis Centre for Information Technology. Upma is pursuing PGDM-Systems from the same institute. They work in the Secure Software Engineering practice at Tech Mahindra.
Minutes of Meeting - Monday July 31st 2006 [03:00 PM - 5:00 PM]
The second OWASP Mumbai Chapter Meet was held at TechMahindra premises in Chandivali. Mr. Richard on behalf of TechMahindra gave a warm welcome to all the delegates to the OWASP Mumbai Local Chapter –II. Accompanying him, Mr. Dharmesh of Mastek Ltd – Mumbai Chapter Head gave a brief description about the goals of OWASP Mumbai Chapter and the road ahead.
1. Significance of Random Numbers in Application Security: Richard Lewis, e-Security Consultant with Tech Mahindra, started with the practical usage of random numbers. He explained how good random number generation prevents applications from malfunctioning, increases strength of cryptographic operations which in turn increases entropy associated with the key. He went on to explain how random numbers automate otherwise manual tasks and how it increases the security of application. He explained the concepts of entropy and to which level it should be reached in an application. In the end he talked about the various sources of random numbers. He showed developers the simple mathematics required to calculate minimum password lengths, given the security requirements.
2. Java Decompilation: Girish Kulkarni, e-Security Consultant with Tech Mahindra went through Java Decompilation utility and techniques to defeat decompilation. Use of obfuscators, byte code encryptor/decryptor and generating executable from source were some of the techniques that he explained.
3. /GS Security Check in Visual Studio: Chanda Dutta, Divya Makhija, Sugita Kumari, Upma Sharma from Tech Mahindra, presented the usage of /GS security check in Visual Studio. Chanda started the presentation by giving an introduction to /GS Security Check feature of Visual Studio. She explained what is /GS Buffer Security Check, the need of /GS and what it can prevent. Sugita further explained how /GS works and what is canary with process of how to using a canary can prevent buffer overrun. Upma then demonstrated a simulation explaining normal working of buffer overflow and how can it be prevented. Divya explained the various limitations of /GS as how the features of /GS can be exploited and summarized the /GS Buffer Security Check features and functionalities.
The attendees will be receiving the pdf document of attendance noted at the meeting.
Next Meeting - Monday July 31st 2006 [03:00 PM - 5:00 PM]
Registrations for the event are free. If you are willing to attend, just send a mail to email@example.com as a confirmation.
If you would like to speak at the event or sponsor, contact me ASAP.
Theme of Meeting: Securing Web Services
The meeting is scheduled on Monday, 31st July 2006 from 3:00 to 5:00 PM.
Venue and Sponsor Details:
Tech Mahindra Limited. Wing 1, Oberoi Estate Gardens, Chandivali, Andheri (E), Mumbai 400 072, Maharashtra, India.
If you would like to speak, please drop in a mail at firstname.lastname@example.org
CPE Credits for CISSP's
ISC2 has approved 1 CPE for each hour of an OWASP local chapter meeting.
Chapter leader will have a sign up sheet with at least First Name, Last Name, and the date of the OWASP Meeting. After the meeting, the single sheet will be signed once by a chapter lead as proof of attendance, scanned into a .PDF, and emailed out to the chapter members with the meeting minutes so they have a copy for records and can claim CPE credits.
Minutes of Meeting - First Meeting - Saturday June 24th 2006 [09:30 - 12:00]
With the welcome address by Anuradha, the first meeting of Mumbai Chapter embarked. Right from giving a brief introduction about OWASP and its aim, Anuradha explained the focus of OWASP as a voluntary organization aiming at contributing to the knowledge as a part of sharing it. Apart from it, Anuradha briefed about OWASP Top 10 Project and OWASP Guide to building Secure Application.
Richard presented on Secure Coding Fundamentals and elucidated the Cost factor inculcated due to insecure code resulting in Network Cost, Productivity Cost and so on. Further explaining the basic reasons of threat to code, he explained how the mistakes done by the Programmers, I/O, API Abuse, Environment & Configuration and Time & State were responsible for Security flaws in an application. Moving ahead, Richard laid down a few principles to be followed as Secure Coding – General Guidelines for all the languages and specific Secure Coding Guidelines for C & C++, Java and .NET
Richard's Presentation Download
With Threat Analysis & Modeling Process, Dharmesh explained the steps followed as Threat Modeling Process starting from Defining Application Requirement, Application Architecture, and Modeling Threats looking at CIA feature of Security Basics. The aim covered to look towards gathering the information needed from application development teams in order to mock out the potential threats that are inherit in the software application they build starting from the very inception of the software birth. Giving the demonstration of Threat Analysis and Modeling Tool v2.0 with the basic example of its functionality, Dharmesh presented the Threat Modeling in real scenario.
Dharmesh's Presentation Download
Shalini and Runa explained how password can be lost or manipulated in a real life scenario and it dealt with the countermeasures to be taken to avoid it. The topics covered under it included Stealing Password using different methods as – Browser’s Refresh, Browser’s Memory, Remember feature, Forget Password feature and last but not the least SQL Injection. The role of Browser’s Viewing Tool available showed a clear picture of how password could be easily cracked.
Shalini and Runa's Presentation Download
Mumbai Chapter - First Meeting - Saturday June 24th 2006 [09:30 - 12:00]
Everyone is welcome to join us at our regular chapter meetings.
Time: 9:30 AM - 12:00 PM
If you have any items you want added to the agenda, post your ideas to our mailing list.
If you would like to speak at the event or sponsor, contact Dharmesh M Mehta before 20th June.
1. 09:30 - 09:45 Introduction : Anuradha Srinivasan, Mastek
2. 09:45 - 10:30 Secure Coding Fundamentals : Richard Lewis, Tech Mahindra
10:30 - 11:00 Food and Beverages
3. 11:00 - 11:30 Threat Modeling : Dharmesh M Mehta, Mastek
4. 11:30 - 12:00 5 ways to lose your user's password : Shalini Gupta and Runa Dwibedi, Paladion Networks
Venue and Sponsor Details:
Mastek Millennium Center, A-7 Sec-I Millennium Business Park,
Mahape, Navi Mumbai - 400 710.
Please contact Dharmesh M Mehta before 23th June if you are attending the meeting.
OWASP Moves to MediaWiki Portal - 11:23, 20 May 2006 (EDT)
OWASP is pleased to announce the arrival of OWASP 2.0!
OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!