Difference between revisions of "OWASP Limerick Day 2013"

From OWASP
Jump to: navigation, search
 
(30 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
= Welcome  =
 
= Welcome  =
  
=== Welcome to OWASP Limerick Days 2013 ===
+
=== Welcome to OWASP Limerick Day 2013 ===
  
 
<br>
 
<br>
OWASP Limerick Days 2013 is a two days Information Security event taking place as follows:
+
OWASP Limerick Day 2013 is a one day Security conference taking place on October 31st in Limerick, Ireland.
<br>
+
 
* October 30th - OWASP Limerick Training Day - Secure Coding for Java Developers (full day training)
+
This major InfoSec event will bring together IT professionals and Security Researchers to discuss relevant topics related to Application Security. <br>Everyone is free to participate in OWASP. All OWASP materials are available under a free and open software license.
* October 31st - OWASP Limerick AppSec Conference Day
+
  
 
<br>
 
<br>
 
<span style="color: red; text-decoration:">
 
<span style="color: red; text-decoration:">
Training fee: 50 euro/seat - Course {{#switchtablink:Registration|registration}} required
+
Conference day is free! - {{#switchtablink:Registration|registration}} required
<br>
+
Conference day is free! - Conference {{#switchtablink:Registration|registration}} required
+
 
</span>
 
</span>
<br>
 
 
<br>
 
<br>
  
Line 40: Line 36:
 
<br>
 
<br>
 
==== Donate to OWASP Limerick====
 
==== Donate to OWASP Limerick====
[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]]
+
[[Image:Btn_donate_SM.gif|link=https://co.clickandpledge.com/?wid=72778]]
 
<br>
 
<br>
  
Line 48: Line 44:
  
 
<br>
 
<br>
==== Training Day, October 30th - <span style="color: red; text-decoration:">Registration not yet open</span> ====
 
* Training day fee is 50 euro per seat, limited places available (max 30)
 
* Free places are available for students and registered OWASP members (max 15)
 
 
  
 
<br>
 
<br>
Line 76: Line 68:
  
 
<br>
 
<br>
''' Training room: computer lab 8A106 (30 seats available) '''
 
  
'''Conference room: 4A01 (150 seats available)'''
+
'''Conference room: 4A01'''
  
 
<br>'''Parking & roadmap''': TBD
 
<br>'''Parking & roadmap''': TBD
Line 84: Line 75:
  
 
<!-- Fourth tab -->
 
<!-- Fourth tab -->
 
= Training Day =
 
 
==== Training Day, October 30th  ====
 
 
==== Location ====
 
Training room: computer lab 8A106 (30 seats available)
 
<br>
 
 
(for details, check the {{#switchtablink:Venue|Venue}} tab)
 
 
==== Agenda ====
 
{| class="wikitable"
 
! Time !! Description !! Room
 
|-
 
| 08h30 - 9h00
 
| colspan="2" style="text-align: center; background: grey; color: white;" | ''Registration''
 
|-
 
| 09h00 - 17h00 || Training
 
| rowspan="1" style="width:100px;" | tbd
 
|}
 
 
 
<br>
 
 
 
 
<!-- Fifth tab -->
 
  
 
= Conference Day =
 
= Conference Day =
Line 118: Line 81:
  
 
==== Location ====
 
==== Location ====
Conference room: 4A01 (150 seats available)
+
Conference room: 4A01
  
 
<br>
 
<br>
 
(for details, check the {{#switchtablink:Venue|Venue}} tab)
 
(for details, check the {{#switchtablink:Venue|Venue}} tab)
  
 
==== Confirmed speakers ====
 
 
{{#switchtablink:Conference Day| <p>
 
* Angelo Prado (Salesforce) - SSL, gone in 30 seconds - a BREACH beyond CRIME
 
* Simon Bennetts (Mozilla) - OWASP Zed Attack Proxy
 
* Oana Cornea (Electronic Arts) - iOS Penetration Testing Cheat Sheet
 
* Marian Ventuneac (Genworth Financial) - Social Enterprise Software: Risks & Countermeasures
 
* Patrick Fitzgerald (Ward Solutions) - Introduction to Metasploit
 
* Mark Goodwin (Mozilla) - FirefoxOS
 
 
 
}}
 
 
<br>
 
<br>
  
Line 141: Line 91:
 
{| class="wikitable"
 
{| class="wikitable"
 
! width="90pt" | Time
 
! width="90pt" | Time
! width="130pt" | Speaker !! Topic
+
! width="160pt" | Speaker !! Topic
 
|-  
 
|-  
| 08:00 - 09:00
+
| 08:30 - 09:00
 
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''
 
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''
 
|-  
 
|-  
| 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update
+
| 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update   [https://www.owasp.org/images/8/84/OWASPIreland-Limerick-Day_20131031_Agenda.pdf Link]
 
|-
 
|-
| 09:20 - 10:10 || TBD || ''' Title '''<br>''Abstract:''
+
| 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''   [https://www.owasp.org/images/4/48/OWASPIreland-Limerick-Day_20131031_ManagingRisks-GerardJoyce.PDF Link]<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>
 +
 
 +
ISO 31000 can be applied to any business and any activity. In this presentation Gerard Joyce will demonstrate how it can be applied in software development.
 
|-
 
|-
| 10:10 - 11:00 || TBD || ''' Title '''<br>''Abstract:''
+
| 10:10 - 11:00 || [http://www.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]<br>Security Analyst at Electronic Arts|| ''' iOS Penetration Testing Cheat Sheet '''   [https://www.owasp.org/images/d/d0/OWASPIreland-Limerick-Day_20131031_iOSCheatSheet-OanaCornea.pdf Link]<br><br>This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
 
|-
 
|-
 
| 11:00 - 11:20
 
| 11:00 - 11:20
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''  
+
| colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''  
 
|-
 
|-
| 11:20 - 12:10 || TBD || ''' Title ''' <br>''Abstract:''
+
| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit '''   [https://www.owasp.org/images/7/73/OWASPIreland-Limerick-Day_20131031_Metasploit-PatrickFitzgerald.pdf Link]<br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
 
|-
 
|-
| 12:10 - 13:00 || TBD || ''' Title ''' <br>''Abstract:''
+
| 12:10 - 13:00 || [http://www.linkedin.com/pub/simon-bennetts/13/57a/3b Simon Bennetts]<br>Security Automation Engineer at Mozilla || ''' OWASP ZAP - whats even newer '''   [http://www.slideshare.net/psiinon/owasp-2013-limerick Link]<br><br>The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.<br>
 +
There are many new developments in progress that will provide functionality currently unavailable in other security tools.
 +
In this session Simon will give a quick introduction for newcomers to ZAP, and then dive into the latest changes.
 
|-
 
|-
 
| 13:00 - 14:00
 
| 13:00 - 14:00
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch''  
+
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch Break''  
 
|-
 
|-
| 14:00 - 14:50 || TBD || ''' Title ''' <br>''Abstract:''
+
| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How'''   [https://www.owasp.org/images/7/71/OWASPIreland-Limerick-Day_20131031_DigitalForensics-AhmedNeil.pdf Link]<br><br>
 
|-
 
|-
| 14:50 - 15:40 || TBD || ''' Title ''' <br>''Abstract:''
+
| 14:50 - 15:40 || [http://www.linkedin.com/in/mark4security Mark Goodwin]<br>Security Engineer at Mozilla || ''' An Introduction to Firefox OS Security '''   []<br><br>A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.
 
|-
 
|-
 
| 15:40 - 16:00
 
| 15:40 - 16:00
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''  
+
| colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''  
 
|-
 
|-
| 16:00 - 16:50 || TBD || ''' Title ''' <br>''Abstract:''
+
| 16:00 - 16:05
 +
| colspan="2" style="text-align: center;background: grey; color: white" | ''OWASP Limerick Chapter Raffle - Sponsored InfoSec Books and Gadgets''  
 
|-
 
|-
| 16:50 - 17:30 || TBD || ''' Title ''' <br>''Abstract:''
+
| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures'''   [http://www.ventuneac.net/research-publications/MarianVentuneac_OWASPIreland-Limerick-Day_20131031_SocialEnterpriseSoftware.pdf Link]<br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.<br>
 +
Marian will present various security risks identified for representative social enterprise solutions (from Salesforce, Blogtronix, Tibco , Yammer and Jive), while also providing recommendations on effective risks mitigation for adoption of social enterprise solutions.
 +
|-
 +
| 16:50 - 17:30 || [http://www.linkedin.com/in/angeloprado Angelo Prado]<br>Senior Manager, Product Security at Salesforce.com<br><br>[http://www.linkedin.com/in/yoelgluck Yoel Gluck]<br>Lead Product Security Engineer at Salesforce.com|| ''' SSL, gone in 30 seconds - a BREACH beyond CRIME '''    [http://breachattack.com/ Link]<br><br>In this hands-on talk, Angelo and Yoel will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. They will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. They will also describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. They will also describe the posture of different SaaS vendors vis-à-vis this attack while also presenting the BREACH tool.
 
|}
 
|}
  
Line 191: Line 149:
  
  
<!-- Sixth tab -->
+
<!-- Fifth tab -->
  
 
= Sponsors =
 
= Sponsors =
Line 200: Line 158:
  
 
* Genworth Financial
 
* Genworth Financial
* Limerick Institute of Technology  
+
* Limerick Institute of Technology
 +
* Ward Solutions
 +
* LinkResQ
  
  
Line 207: Line 167:
  
 
<br>
 
<br>
==== Become a sponsor of OWASP Limerick ====
+
==== Become a sponsor of OWASP Ireland Limerick Chapter ====
  
Donate to OWASP Limerick
+
[[Image:Btn_donate_SM.gif|link=https://co.clickandpledge.com/?wid=72778]]
 
+
<br>
[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]]
+
 
<br>
 
<br>
 
 
 
==== Promotion  ====
 
==== Promotion  ====
 
''Feel free to use the text below to promote our event!''
 
''Feel free to use the text below to promote our event!''
  
We invite you to our next OWASP event: the '''Limerick OWASP Days 2013!'''
+
We invite you to our next OWASP event: the '''Limerick OWASP Day 2013!'''
 
+
Free your agenda on October 30th and 31st, 2013.
+
  
Training is 50 euro per seat, conference is free!
+
Free your agenda on October 31st, 2013.
  
 
Please register early as places are limited (first registered, first served).
 
Please register early as places are limited (first registered, first served).

Latest revision as of 14:15, 3 November 2013

[edit]

Welcome to OWASP Limerick Day 2013


OWASP Limerick Day 2013 is a one day Security conference taking place on October 31st in Limerick, Ireland.

This major InfoSec event will bring together IT professionals and Security Researchers to discuss relevant topics related to Application Security.
Everyone is free to participate in OWASP. All OWASP materials are available under a free and open software license.


Conference day is free! - registration required

For ISACA and (ISC)² members: This event qualifies for free CPE credits/hours.

Who Should Attend?

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals
  • Students
  • Security Researchers
  • Anyone with an interest on Application Security


Btn donate SM.gif




Conference Day, October 31st - Registration now open

Buttoncreate.png

  • Conference is free!



To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue: Limerick Institute of Technology

Moylish Park
Limerick


Conference room: 4A01


Parking & roadmap: TBD


Conference Day, October 31st

Location

Conference room: 4A01


(for details, check the Venue tab)


Agenda

Time Speaker Topic
08:30 - 09:00 Registration
09:00 - 09:20 OWASP Limerick Organization Welcome & OWASP Update Link
09:20 - 10:10 Gerard Joyce
Director of Enterprise Risk Management at LinkResQ
Managing Risks: An ISO 31000 Approach Link

In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.

ISO 31000 can be applied to any business and any activity. In this presentation Gerard Joyce will demonstrate how it can be applied in software development.

10:10 - 11:00 Oana Cornea
Security Analyst at Electronic Arts
iOS Penetration Testing Cheat Sheet Link

This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
11:00 - 11:20 Tea/Coffee Break
11:20 - 12:10 Patrick Fitzgerald
Security Consultant at Ward Solutions
Introduction to Metasploit Link

Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box. The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
12:10 - 13:00 Simon Bennetts
Security Automation Engineer at Mozilla
OWASP ZAP - whats even newer Link

The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.

There are many new developments in progress that will provide functionality currently unavailable in other security tools. In this session Simon will give a quick introduction for newcomers to ZAP, and then dive into the latest changes.

13:00 - 14:00 Lunch Break
14:00 - 14:50 Ahmed Neil
Database Administrator at Mansoura University
Digital Forensics: What, Why and How Link

14:50 - 15:40 Mark Goodwin
Security Engineer at Mozilla
An Introduction to Firefox OS Security []

A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.
15:40 - 16:00 Tea/Coffee Break
16:00 - 16:05 OWASP Limerick Chapter Raffle - Sponsored InfoSec Books and Gadgets
16:05 - 16:50 Marian Ventuneac
Security Architect at Genworth Financial
Social Enterprise Software: Risks & Countermeasures Link

Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.

Marian will present various security risks identified for representative social enterprise solutions (from Salesforce, Blogtronix, Tibco , Yammer and Jive), while also providing recommendations on effective risks mitigation for adoption of social enterprise solutions.

16:50 - 17:30 Angelo Prado
Senior Manager, Product Security at Salesforce.com

Yoel Gluck
Lead Product Security Engineer at Salesforce.com
SSL, gone in 30 seconds - a BREACH beyond CRIME Link

In this hands-on talk, Angelo and Yoel will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. They will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. They will also describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. They will also describe the posture of different SaaS vendors vis-à-vis this attack while also presenting the BREACH tool.





Event Sponsors

  • Genworth Financial
  • Limerick Institute of Technology
  • Ward Solutions
  • LinkResQ


Sponsorship opportunities are available [1]



Become a sponsor of OWASP Ireland Limerick Chapter

Btn donate SM.gif

Promotion

Feel free to use the text below to promote our event!

We invite you to our next OWASP event: the Limerick OWASP Day 2013!

Free your agenda on October 31st, 2013.

Please register early as places are limited (first registered, first served).


Made possible by our Sponsors

[...] [...]