Difference between revisions of "Royal Holloway"

From OWASP
Jump to: navigation, search
(Thurs 9 August 6:30-9pm)
(update for December)
 
(13 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
__NOTOC__
 +
 +
= Welcome =
 
{{Chapter Template|chaptername=Royal Holloway University of London|extra=The chapter leaders are [mailto:Dennis.Groves@owasp.org Dennis Groves] and [mailto:Dinis.Cruz@owasp.org Dinis Cruz].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-royalholloway|emailarchives=http://lists.owasp.org/pipermail/owasp-royalholloway}}
 
{{Chapter Template|chaptername=Royal Holloway University of London|extra=The chapter leaders are [mailto:Dennis.Groves@owasp.org Dennis Groves] and [mailto:Dinis.Cruz@owasp.org Dinis Cruz].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-royalholloway|emailarchives=http://lists.owasp.org/pipermail/owasp-royalholloway}}
  
== Local News ==
+
= Next Event =
  
'''Meeting Location'''
 
  
Everyone is welcome to join us at our chapter meetings.
+
=== Thurs 6 Dec 6:30-9pm ===
  
 +
OWASP Winter Holiday Social @ Crosslands in the Founder's Building, near reception.
  
== Next Meeting/Event(s) ==
+
'''Meeting Location''':
 +
Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
  
=== Thurs 9 August 6:30-9pm ===
+
Directions to Royal Holloway and a Campus Plan are available from the following [http://www.rhul.ac.uk/aboutus/locationmap/home.aspx website] (Bourne LT 2 is in building 31 on the Campus Plan).
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
  
'''Speakers''': Ken Ferris
+
Everyone is welcome to join us at our chapter meetings.
  
* Confessions of A PCI Consultant & IPADS V0a - Ken Ferris
 
  
'''Register here''': [http://owasp-rhul.eventbrite.com/]
+
= Future Events =
  
== Future Events ==
 
  
=== Thurs 6 Sep 6:30-9pm ===
+
=== date and time place holder ===
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
  
'''Speakers''': Christiaan Ehlers
+
'''Talks''':
 +
'''Speakers''':
  
* DoS Mitigation - Christiaan Ehlers
+
= Past Events =
  
=== Thurs 11 Oct 6:30-9pm ===
+
=== Thurs 8 Nov 6:30-9pm ===
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
  
'''Speakers''':  
+
'''Talks''':  
 
+
* DoS Mitigation - Christiaan Ehlers
=== Thurs 8 Nov 6:30-9pm ===
+
* Confessions of A PCI Consultant & IPADS - Ken Ferris
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
  
 
'''Speakers''':  
 
'''Speakers''':  
 
+
Christiaan Ehlers, Ken Ferris
=== Thurs 6 Dec 6:30-9pm ===
+
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
 
+
'''Speakers''':
+
 
+
== Past Events ==
+
  
 
=== Thurs 10 May 6:30-9pm ===
 
=== Thurs 10 May 6:30-9pm ===
  
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
'''Talks''':
 
+
'''Talks'''
+
 
* [http://www.websecurify.com WebScurify] - Petko Petkov (pdp)
 
* [http://www.websecurify.com WebScurify] - Petko Petkov (pdp)
 
* Your Digital Exhaust: How your online habits might cause more damage than you realised. - Daniel Cuthbert
 
* Your Digital Exhaust: How your online habits might cause more damage than you realised. - Daniel Cuthbert
* [http://diniscruz.blogspot.co.uk/2012/04/making-security-invisible-by-becoming.html Making Security Invisible by Becoming the Developer's Best Friends] - Dinis
+
* [http://diniscruz.blogspot.co.uk/2012/04/making-security-invisible-by-becoming.html Making Security Invisible by Becoming the Developer's Best Friends] - ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz])
  
 
+
'''Speakers''':  
'''Speakers''': Daniel Cuthbert, Petko Petkov, Dinis Cruz,
+
Daniel Cuthbert, Petko Petkov, ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz])
  
 
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===
 
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===
  
==== Location ====
+
'''Talks''':
 
+
:Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
 
+
==== Talks ====
+
 
+
 
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])
 
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])
 
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.
 
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.
  
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])
+
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - ([https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom]) ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])
 
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."
 
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."
  
==== Speakers ====
 
 
Tobias Gondrom, Viet Pham
 
  
 +
'''Speakers''':
 +
([https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom]), Viet Pham
  
 
=== Thursday, February 2nd 2012 ,18:30-21:00 ===
 
=== Thursday, February 2nd 2012 ,18:30-21:00 ===
  
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
'''Talks''':
 
+
*''Security as Pollution (lessons learned)'' - ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz])
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves
+
 
+
*''Security as Pollution (lessons learned)'' - Dinis Cruz
+
 
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010
 
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010
  
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz
+
*''Making Security Invisible by Becoming the Developer's Best Friends'' - ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz])
 
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011
 
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011
  
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves
+
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz]) and ([https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves])
 
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.
 
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.
  
*''What's Happening on OWASP Today'' - Sarah Baso
+
*''What's Happening on OWASP Today'' - ([https://www.owasp.org/index.php/User:Sarah_Baso Sarah Baso])
 
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment
 
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment
 +
 +
'''Speakers''':
 +
([https://www.owasp.org/index.php/User:Sarah_Baso Sarah Baso]), ([https://www.owasp.org/index.php/User:Dinis_Cruz Dinis Cruz]), ([https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves])
  
 
=== Thursday, September 8th 2011 ===
 
=== Thursday, September 8th 2011 ===
  
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX
+
'''Talk''':  
 +
Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.
  
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])
+
'''Speaker''':  
 
+
Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an
+
ineffective industry.
+
  
 
'''Bio''':  Daniel Cuthbert is one of the Open Web Application Security
 
'''Bio''':  Daniel Cuthbert is one of the Open Web Application Security
Line 109: Line 93:
 
the development life cycle is secure and the overall application can
 
the development life cycle is secure and the overall application can
 
withstand today’s hackers.
 
withstand today’s hackers.
 
Directions to Royal Holloway and a Campus Plan are available from the following [http://www.rhul.ac.uk/aboutus/locationmap/home.aspx website] (Bourne LT 2 is in building 31 on the Campus Plan).
 
  
 
=== Friday, June 3rd 2011 ===
 
=== Friday, June 3rd 2011 ===
 +
'''Talk''':
 +
*'''Wordpress Security''' ([[Media:Wordpress-security-ext.pdf|PDF]])
 +
:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.
  
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX
+
'''Speaker''': Steve Lord
 
+
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])
+
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.
+
  
 +
<headertabs />
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 
[[Category:United Kingdom]]
 
[[Category:United Kingdom]]

Latest revision as of 07:13, 3 December 2012


[edit]

OWASP Royal Holloway University of London

Welcome to the Royal Holloway University of London chapter homepage. The chapter leaders are Dennis Groves and Dinis Cruz.
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Thurs 6 Dec 6:30-9pm

OWASP Winter Holiday Social @ Crosslands in the Founder's Building, near reception.

Meeting Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Directions to Royal Holloway and a Campus Plan are available from the following website (Bourne LT 2 is in building 31 on the Campus Plan).

Everyone is welcome to join us at our chapter meetings.


date and time place holder

Talks: Speakers:

Thurs 8 Nov 6:30-9pm

Talks:

  • DoS Mitigation - Christiaan Ehlers
  • Confessions of A PCI Consultant & IPADS - Ken Ferris

Speakers: Christiaan Ehlers, Ken Ferris

Thurs 10 May 6:30-9pm

Talks:

Speakers: Daniel Cuthbert, Petko Petkov, (Dinis Cruz)

Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)

Talks:

  • Implementing cryptography: good theory vs. bad practice - Viet Pham ([PDF])
Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.
  • Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - (Tobias Gondrom) ([PDF])
"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."


Speakers: (Tobias Gondrom), Viet Pham

Thursday, February 2nd 2012 ,18:30-21:00

Talks:

  • Security as Pollution (lessons learned) - (Dinis Cruz)
    Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010
  • Making Security Invisible by Becoming the Developer's Best Friends - (Dinis Cruz)
    Based on Dinis' presentation at OWASP AppSec Brazil 2011
  • How to get a job in AppSec by Hacking and fixing TeamMentor - (Dinis Cruz) and (Dennis Groves)
    This is for students and developers who want to get into the application security space and need to have/show real-world experience.
  • What's Happening on OWASP Today - (Sarah Baso)
    This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

Speakers: (Sarah Baso), (Dinis Cruz), (Dennis Groves)

Thursday, September 8th 2011

Talk: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.

Speaker: Daniel Cuthbert (deck)

Bio: Daniel Cuthbert is one of the Open Web Application Security Project Leaders and the Assessment manager for SensePost. He has been researching, and involved, with web application security since the late 90’s and has worked on a wide range of projects to ensure that the development life cycle is secure and the overall application can withstand today’s hackers.

Friday, June 3rd 2011

Talk:

  • Wordpress Security (PDF)
Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Speaker: Steve Lord