Difference between revisions of "Newcastle"

From OWASP
Jump to: navigation, search
(Link to presentation and video)
m
 
(50 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:mike.goodwin@owasp.org Mike Goodwin]
+
{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]
  
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}
 +
= Upcoming Events  =
 +
'''Next Event:'''
  
= Next Meeting =
+
3rd December 2019 - Avalanche 2 CTF hosted by Pentest Limited - https://www.meetup.com/OWASP-Newcastle-Chapter/events/265874769/
  
After a longer than expected gap, i'm please to announce we are back with a great line up! As usual, pizza will be provided and entry is free.
+
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack].
  
First up we have Andrew Pannell "50 Million downloads and all I got was malware"
+
= Past Events  =
* How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too
+
'''2019 Dates'''
 +
----
  
Followed by Colin Watson "Security Requirements Identification using the OWASP Cornucopia Card Game" ([https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp presentation] and [http://youtu.be/Q_LE-8xNXVk how to play video])
+
23/09/2019 from 18:00 to 21:00 at Northumbria University, City Campus East
* [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia] is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal).
 
  
== When ==
+
'''Talk 1'''
  
Tuesday, August 23, 2016 from 6:00 PM to 9:00 PM (BST)
+
Title: Stalk Awareness - [https://www.owasp.org/images/2/25/OWASP-Newcastle.pdf Slides]
  
== Where ==
+
Speaker: Cian (@nscrutables)
  
The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF
+
Description: We often focus on nation states and corporation's role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed "stalkerware".
  
== Booking ==
+
This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I'll be examining these topics from both
  
Free, but please register so we know approximate numbers.
+
a technical and non-technical standpoint, based on many months of personal research.
  
[https://www.eventbrite.com/e/owasp-newcastle-august-2016-meeting-tickets-26777246465 Register]
+
'''Talk 2'''
  
There will be places for unregistered people too - just turn up.
+
Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - [https://www.owasp.org/images/c/cc/IntelligenceLedRiskManagement.pptx Slides]
  
= Upcoming Events  =
+
Speaker: Adam Pickering (<nowiki>https://twitter.com/Adam_P81</nowiki>)
  
Tuesday, August 23, 2016 from 6:00 PM to 9:00 PM (BST), The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF
+
Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors
 +
----13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park
  
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]
+
Red Team versus Blue Team event
  
= Past Events  =
+
'''Talk 1: Red Teaming a view from the field'''
  
'''2015 Dates'''
+
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)
  
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002
+
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.
  
The long talk by '''Ben Lee''' and '''Ross Dargan''':
+
'''Talk 2: Protecting the museum – HIPS'''
 +
Speaker: Marek Banas
 +
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.
  
'''The problems with proving identity.'''
+
Event is detailed here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]
 +
----26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.
  
In this talk Ross  (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.
+
'''Talk 1: Matt Wixey (@darkartlab)'''
  
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*
+
The talk will be three smaller talks, covering: 
 +
# Remote online social engineering (how attackers use catfishing techniques) 
 +
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) 
 +
# Attack linkage (using granular attack behaviours to link different cyber attacks)
 +
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''
  
(*Talk may not be historically accurate! ;))
+
"Getting stakeholders on board".
 +
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?
 +
----'''2018 Dates'''
 +
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.
  
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]
+
Speakers:
 +
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' 
 +
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). 
 +
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015
 +
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.
 +
We held our first CTF (Capture The Flag) event.
  
The short talks:
+
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]
 +
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.
  
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''
+
Speakers
 +
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.
 +
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]
 +
----
  
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.
+
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.
  
Take a copy of the game away with you - it is suitable for developers of all sizes.
+
Speakers
 +
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.
  
[[Media: Owaspnewcastle-snakesandladders.pptx]]
+
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.
 +
----'''2017 Dates'''
 +
----
  
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''
+
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.
  
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.
+
Speakers:
 +
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute  "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]
  
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]
+
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]
 +
----
  
'''Mike Goodwin - Real world defence in depth (part 1)'''
+
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.
  
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.
+
Speakers:
 +
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]
 +
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]
 +
----
  
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]
+
'''2016 Dates'''
  
 +
----
 +
 +
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.
 +
 +
Speakers:
 +
 +
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]
 +
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]
 +
 +
----
 +
 +
'''2015 Dates'''
 +
 +
----
 +
 +
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002
 +
 +
Speakers:
 +
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross  (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]
 +
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]
 +
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]
 +
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]
 
----
 
----
  
 
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002
 
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002
 
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).
 
  
 
Speakers:
 
Speakers:
  
 
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
 
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]
+
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]
 
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
 
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
 
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]
 
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]
Line 93: Line 143:
  
 
Speakers:
 
Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.'''
+
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]]
[[Media: OWASP_Honeypots.odp]]
 
 
 
* '''George Chlapoutakis: Security in the World of Containerisation.'''
 
[[Media: OWASP_Security_Containerisation.ppt]]
 
  
 +
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]
 
----
 
----
  
Line 104: Line 151:
  
 
Speakers:
 
Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.'''  
+
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]]  
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.
 
[[Media: An_introduction_to_penetration_testing.pptx]]
 
 
 
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.'''
 
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.
 
[[Media: Threat_Modeling_Presentation.pptx]]
 
  
 +
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]]
 
----
 
----
  
Line 120: Line 162:
 
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
 
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
 
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]
 
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]
 +
----
  
 
= Chapter Leaders  =
 
= Chapter Leaders  =
Line 126: Line 169:
  
 
* [[User:Connor Carr|Connor Carr]]
 
* [[User:Connor Carr|Connor Carr]]
* Robin Fewster
+
* [[User:Robin Fewster|Robin Fewster]]
* [[User:Michael Goodwin|Mike Goodwin]]
+
* [[User:Andi Pannell|Andi Pannell]]
  
Once the group is up and running we will be looking for more leaders.
+
We are always happy to hear from people who want to contribute to the chapter as a leader.
  
 +
= Slack =
 +
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]
 
= Sponsorship =  
 
= Sponsorship =  
  
Line 149: Line 194:
 
Other related organisations in the Newcastle area:
 
Other related organisations in the Newcastle area:
  
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].
+
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].
  
 
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.
 
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.
Line 155: Line 200:
 
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).
 
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).
  
__NOTOC__ <headertabs />
+
__NOTOC__ <headertabs></headertabs>
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 
[[Category:United Kingdom]]
 
[[Category:United Kingdom]]

Latest revision as of 03:34, 31 October 2019

OWASP Newcastle

Welcome to the Newcastle chapter homepage. The chapter leaders are Connor Carr, Robin Fewster and Andi Pannell


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Next Event:

3rd December 2019 - Avalanche 2 CTF hosted by Pentest Limited - https://www.meetup.com/OWASP-Newcastle-Chapter/events/265874769/

Keep updated and in touch using the chapter mailing list and/or Twitter @OWASP_Newcastle and/or Slack.

2019 Dates


23/09/2019 from 18:00 to 21:00 at Northumbria University, City Campus East

Talk 1

Title: Stalk Awareness - Slides

Speaker: Cian (@nscrutables)

Description: We often focus on nation states and corporation's role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed "stalkerware".

This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I'll be examining these topics from both

a technical and non-technical standpoint, based on many months of personal research.

Talk 2

Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - Slides

Speaker: Adam Pickering (https://twitter.com/Adam_P81)

Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors


13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park

Red Team versus Blue Team event

Talk 1: Red Teaming a view from the field

Speakers: Andi Pannell (https://twitter.com/dr0idandy) , Robin Fewster (https://twitter.com/listenerstation), Gavin Johnson-Lynn (https://twitter.com/gav_jl)

Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.

Talk 2: Protecting the museum – HIPS Speaker: Marek Banas Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.

Event is detailed here: OWASP Newcastle Meetup June 2019


26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.

Talk 1: Matt Wixey (@darkartlab)

The talk will be three smaller talks, covering: 

  1. Remote online social engineering (how attackers use catfishing techniques) 
  2. Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) 
  3. Attack linkage (using granular attack behaviours to link different cyber attacks)

Talk 2: Kathryn Cardose (@AGeordieLass)

"Getting stakeholders on board".

  • So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?

2018 Dates
25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.

Speakers:

  • Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.
  • Gavin Johnson-Lynn: My Path to CSSLP. Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there).

The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015


26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.

We held our first CTF (Capture The Flag) event.

The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994


27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.

Speakers

  • Andi Pannell: The Internet of (broken) things. This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a live hacking demo.
  • Colin Watson: An introduction to the OWASP automated threats to web applications. Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. Project page | Handbook PDF file | Handbook print version | Newcastle PPT presentation

30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.

Speakers

  • Neil Dixley: Code that fights back. Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.
  • Luke Sadler: Practical demonstration of mobile software penetration. Luke Sadler walks us through hands on examples of cracking mobile technology.

2017 Dates

21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:

  • Lorenzo Grespan: Explain hacking in ten minutes. Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute  "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. Media:OWASPNCL LG 21112017.pdf
  • Robin Sillem: Building a Development Environment That's 'Secure Enough'. This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. Media:Modern_DevOps_and_security.pptx

19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:

  • Gareth Dixon: Running a security event using OWASP Security Shepherd. In this talk I will cover running a security event using OWASP Security Shepherd. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. Media:Security_Shepherd.pptx
  • Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. OWASP Threat Dragon is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. Media:Owasp_threat_dragon_201709_.pptx

2016 Dates


23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.

Speakers:

  • Andrew Pannell: 50 Million Downloads and All I Got Was Malware. How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [1]
  • Colin Watson: OWASP Cornucopia. OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [2]

2015 Dates


24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

Speakers:

  • Ben Lee and Ross Dargan: The problems with proving identity. In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) Media: OWASPNewcastle_the_problem_with_proving_identity.pptx
  • Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks. The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. Media: Owaspnewcastle-snakesandladders.pptx
  • Michael Haselhurst - Automated Security Testing Using The ZAP API. This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx
  • Mike Goodwin - Real world defence in depth (part 1). Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. Media: Owaspnewcastle-real_world_defence_in_depth.pptx

29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

Speakers:


28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:


29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:

  • Neil Dixley: The Elevation of Privilege Threat Modelling Tool. An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. Media: Threat_Modeling_Presentation.pptx

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

  • Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering. An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx
  • Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?. Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. Media: OWASP_Compliance_for_Devs.pptx

The chapter leaders are:

We are always happy to hear from people who want to contribute to the chapter as a leader.

OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us Here

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

Sage-logo.jpg

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

  • Platinum sponsor (£1200)
  • Gold sponsor (£600)
  • Silver sponsor (£300)

Any other donation is also gratefully received.

Other related organisations in the Newcastle area:

  • (ISC)2 North East Chapter - for information, contact the chapter secretary, Robin Fewster, the chapter president Ken Walls, the chapter membership officer Scott Wakeling or the chapter events and corporate sponsorship officer Katy Buller.

Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.

And feel free to use the Newcastle mailing list to publicise related events (this list is moderated).