Difference between revisions of "Norway"

From OWASP
Jump to: navigation, search
(Medlemsmøte: 7. Februar, kl 17:00)
(38 intermediate revisions by 3 users not shown)
Line 12: Line 12:
 
To join the chapter mailing list, please visit our [https://lists.owasp.org/mailman/listinfo/owasp-norway mailing list] homepage. The list is used to discuss the meetings and to arrange meeting locations. You can also review the [https://lists.owasp.org/pipermail/owasp-norway/ email archives] to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.
 
To join the chapter mailing list, please visit our [https://lists.owasp.org/mailman/listinfo/owasp-norway mailing list] homepage. The list is used to discuss the meetings and to arrange meeting locations. You can also review the [https://lists.owasp.org/pipermail/owasp-norway/ email archives] to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.
  
== Medlemsmøter 2011 ==
+
== Medlemsmøter ==
  
=== [[OWASP Norway - Hall of fame ]] ===
+
Fremtidige medlemsmøter blir annonsert på mailinglista og på [http://www.meetup.com/OWASP-Norway/ meetup.com/OWASP-Norway/]. Påmelding finner du også der
 
 
[[Forslagskasse]] for tema
 
  
 
Hvis du ikke er på [https://lists.owasp.org/mailman/listinfo/owasp-norway e-postlista] så meld deg på!
 
Hvis du ikke er på [https://lists.owasp.org/mailman/listinfo/owasp-norway e-postlista] så meld deg på!
  
=== Neste møte ===
 
  
  
==== Medlemsmøte: Tirsdag 21. juni kl 17:00 - 19:00  ====
+
=== Tidligere møter ===
Ansvarlig: Erlend Oftedal, tel: 98219335,
 
Sponsor: TBA
 
Adresse: TBA, og [http://www.doodle.com/zewyn82nn6psdx5f Meld på her]
 
  
Agenda:
+
[[Forslagskasse]] for tema
* 17:00-17:45 Utvalgte tema fra OWASP AppSecEU
 
* Pause m pizza
 
* 18:15-19:00 Mobilsikkerhet, Carsten Maartmann-Moe
 
  
  
 +
=== Neste møte ===
  
=== Tidligere møter ===
+
==== Medlemsmøte: 26. Juni, kl 17:00 ====
 +
'''Ansvarlig:''' Erlend Oftedal ,
 +
'''Påmelding/lokasjon/agenda:''' [[http://www.meetup.com/OWASP-Norway/events/188627202/ Påmelding på meetup.com]]
 +
'''Tema:''' Hacking with Unicode
  
 +
==== Medlemsmøte: 7. Februar, kl 17:00 ====
 +
'''Ansvarlig:''' Erlend Oftedal ,
 +
'''Påmelding/lokasjon/agenda:''' [[http://www.meetup.com/OWASP-Norway/events/98525562/ Påmelding på meetup.com]]
 +
'''Tema:''' Crossing Domains by Crossing Origins
  
===== Generalforsamling: Torsdag 12. mai kl 17:00 - 17:15  =====
+
==== Medlemsmøte: 18. Oktober, kl 17:00 ====
 +
'''Ansvarlig:''' Erlend Oftedal ,
 +
'''Påmelding/lokasjon/agenda:''' [[http://www.meetup.com/OWASP-Norway/events/84322982/ Påmelding på meetup.com]]
 +
'''Tema:''' Sikkerhet i det norske eValg-systemet
  
[[Norway/Generalforsamling 2011]]
 
  
Ansvarlig: Kåre Presttun, tel: 4100 4908,  
+
==== Medlemsmøte: 24. april, kl 19:30 ====
Sponsor: mnemonic as ,
+
'''Ansvarlig:''' Erlend Oftedal ,
Adresse: Wergelandsveien 25, [http://maps.google.com/maps?q=wergelandsveien+25,+oslo&oe=utf-&um=1&ie=UTF-8 Kart her], og [http://doodle.com/5nz7vu8uvqhsmxwp Meld på her]
+
'''Sponsor:''' -,
 +
'''Adresse:''' [http://maps.google.com/maps?q=Tordenskiolds+gate+3%2C+Oslo Mesh Norway, Tordenskiolds gate 3],  
 +
'''Påmelding:''' [http://www.doodle.com/t7kaxy7a5u7v6u6s klikk her]
  
Agenda:
+
Tema denne gang er sikkerhet i mobile applikasjoner. Det blir først en introduksjon, deretter kommer
* Godkjenning av innkalling
+
Martin Knobloch fra OWASP Nederland for å snakke om iGoat og GoatDroid, for så å dele erfaringer fra
* [[Årsberetning 2010/2011]]
+
en code review.
* Eventuelt
 
* Valg
 
  
===== Medlemsmøte: Torsdag 12. mai kl 17:15 - 19:15  =====
+
Slides:
  
Ansvarlig: Kåre Presttun, tel: 4100 4908,
+
[[Media:Mobil - Introduksjon til applikasjonssikkerhet.pdf|OWASP Mobile Top 10]] - Ståle Pettersen
Sponsor: mnemonic as ,
 
Adresse: Wergelandsveien 25
 
  
Slides:
+
[[Media:OWASP-mobile aps.pdf|OWASP Mobile]] - Martin Knobloch
[[Media:The_image_that_called_me.pdf]]
 
[[Media:Locking_the_throneroom.pdf]]
 
  
  
 
+
==== Medlemsmøte: 19. mars, kl 17:00 ====
Agenda:  
+
'''Ansvarlig:''' Erlend Oftedal ,
 +
'''Sponsor:''' F5,
 +
'''Adresse:''' [http://maps.google.com/maps?q=the+dubliner+oslo&hl=en&client=ubuntu&channel=fs&fb=1&hq=the+dubliner&hnear=0x46416e61f267f039:0x7e92605fd3231e9a,Oslo,+Norway&cid=0,0,12890284609415510924&t=h&z=15&iwloc=A The Dubliner],
 +
'''Påmelding:''' [http://www.doodle.com/d4rfandvnakqydc6 klikk her]
 
{|
 
{|
|17.15 - 18.00
+
|'''"Web Application Access Control Design Excellence"''', Jim Manico<br>
|'''The Image that called me - Security impact of Scalable Vector Graphics on the WWW''' - Mario Heiderich
 
  
Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG
+
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss
family, their vector based structure allows to display them on many different devices with various screen sizes without losing
+
several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns
visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind
+
include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing
to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and
+
these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual,
inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect
+
activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust
image format for the future WWW.
+
web-based access-control mechanism.
 
 
Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a close look at SVG
 
from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and
 
worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to
 
work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and
 
other acronyms from a world where imaging and scripting collide? Besides many examples of malicious SVGs the talk will shed
 
light on a novel filtering tool capable of filtering and sanitizing SVG images without loss of important content.
 
|-
 
|18.00 - 18.30
 
| Mat
 
|-
 
|18.30 - 19.15
 
|'''Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS''' - Mario Heiderich
 
 
 
Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve
 
problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as
 
governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content
 
filters, educational programs and trainings, programmer's best practices and guidelines, proxy filters and many more. Still
 
XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to
 
find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker.
 
 
 
This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of
 
several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to
 
seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and
 
light-weighted way - without being "too loud". Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the
 
possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution
 
privileges. The presentation will show how these work, what the implications are, and what the future of XSS mitigation and
 
eradication might look like.
 
 
|}
 
|}
'''Speaker:'''
 
'''Mario Heiderich''' works as a researcher for the Ruhr-University in Bochum, Germany as well as Microsoft, Redmond and currently
 
focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis. Mario
 
invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and
 
security consultancy for larger German and international companies. He is also one of the co-authors of Web Application
 
Obfuscation: '-/WAFs..Evasion..Filters/
 
 
===== Medlemsmøte tirsdag 22. mars kl 16:00 --> =====
 
 
Ansvarlig: Kåre Presttun,<br>
 
Sponsor: [https://wiki.cantara.no/display/PE/Communities+in+action+2011 Communities in Action 2011],<br>
 
Adresse: Radisson Blu Hotel, Holbergsgt. 30, [http://www.radissonblu.no/scandinaviahotell-oslo/beliggenhet Kart her], og [http://doodle.com/h53d9i9m8iuh2mib Meld på her]
 
 
Dette møtet er i samarbeid med Communities in Action 2011. OWASP Norway Chapter deltar sammen med javaBin, Kode kata, XP meetup, Framsia, Makers, Cocoaheads, NNUG og Oslo Lean Meetup. Dette er en spennende anledning til å mingle med andre "communities".
 
 
Program:
 
 
- 16:00 - 17:30 Enkel bevertning<br>
 
- 17:30 - 19:30 Parallellsesjoner<br>
 
- 20:00 - 21:00 Paneldebatt<br>
 
- 21:00 --> Mingling i Skybar<br>
 
 
[https://wiki.cantara.no/display/PE/Program+CiA+2011 Detaljert program for CiA 2011 her]
 
  
 
== Lokale Nyheter ==
 
== Lokale Nyheter ==
Line 133: Line 81:
 
== Tidligere år ==
 
== Tidligere år ==
  
 +
=== [[Medlemsmøter 2011]] ===
 
=== [[Medlemsmøter 2010]] ===
 
=== [[Medlemsmøter 2010]] ===
 
=== [[Medlemsmøter 2009]] ===
 
=== [[Medlemsmøter 2009]] ===

Revision as of 04:29, 12 June 2014

Welcome to the OWASP Norway Local Chapter

Welcome to the local Norway chapter homepage. The chapter leader is Erlend Oftedal. <paypal>Norway</paypal>

Se hvem som sitter i Norway Chapter styret og les Norway Chapter vedtekter. OWASP Norway Chapter er registrert i Bønnøysund med organisasjonsnummer 994 253 085.

Participation

OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the Chapter Rules.

To join the chapter mailing list, please visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. You can also review the email archives to see what folks have been talking about. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Medlemsmøter

Fremtidige medlemsmøter blir annonsert på mailinglista og på meetup.com/OWASP-Norway/. Påmelding finner du også der

Hvis du ikke er på e-postlista så meld deg på!


Tidligere møter

Forslagskasse for tema


Neste møte

Medlemsmøte: 26. Juni, kl 17:00

Ansvarlig: Erlend Oftedal , Påmelding/lokasjon/agenda: [Påmelding på meetup.com] Tema: Hacking with Unicode

Medlemsmøte: 7. Februar, kl 17:00

Ansvarlig: Erlend Oftedal , Påmelding/lokasjon/agenda: [Påmelding på meetup.com] Tema: Crossing Domains by Crossing Origins

Medlemsmøte: 18. Oktober, kl 17:00

Ansvarlig: Erlend Oftedal , Påmelding/lokasjon/agenda: [Påmelding på meetup.com] Tema: Sikkerhet i det norske eValg-systemet


Medlemsmøte: 24. april, kl 19:30

Ansvarlig: Erlend Oftedal , Sponsor: -, Adresse: Mesh Norway, Tordenskiolds gate 3, Påmelding: klikk her

Tema denne gang er sikkerhet i mobile applikasjoner. Det blir først en introduksjon, deretter kommer Martin Knobloch fra OWASP Nederland for å snakke om iGoat og GoatDroid, for så å dele erfaringer fra en code review.

Slides:

OWASP Mobile Top 10 - Ståle Pettersen

OWASP Mobile - Martin Knobloch


Medlemsmøte: 19. mars, kl 17:00

Ansvarlig: Erlend Oftedal , Sponsor: F5, Adresse: The Dubliner, Påmelding: klikk her

"Web Application Access Control Design Excellence", Jim Manico

Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

Lokale Nyheter

Tidligere år

Medlemsmøter 2011

Medlemsmøter 2010

Medlemsmøter 2009

Medlemsmøter 2008