Revision as of 15:03, 22 October 2007 by Bunyamin (talk | contribs)

Jump to: navigation, search

OWASP Turkey

Welcome to the Turkey chapter homepage. The chapter leader is Bedirhan Urgun, Bunyamin Demir, Ferruh Mavituna
Click here to join the local chapter mailing list.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

Ceviri projesine yardim etmek isteyen arkadaslar lutfen iletisime geciniz.




You can find Turkish translations of OWASP and other web security related documents here.

Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)


Discussion Answers:

Q1. What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1. During the meeting an effort was made to clarify the meaning of privacy;

- what are the key items that builds up to "privacy"?
- are we talking about the privacy of real people or should we also include the privacy of legal entities?
- is there really a solid line (or even a vague line) between confidentiality and privacy?

We defined privacy as confidentiality of the data; be it of a real person or a legal entity. But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions; The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2. Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2. Most of the participants agreed that a law is a necessity. But, maybe, more important thing is to raise the awareness of the customers. Here we also had a discussion on the current status of the law on privacy? There are mainly three documents on privacy in Turkish law;

* a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer)
* a draft law on privacy from Department of Justice, which is still in the process of approval
* a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the 
  European Parliament and of the Council" on the data retention. This law, however, still needs a few
  directives, which are about to be published.

Q3. Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3. As a first step there should be an "agreement" presented to the user by the application side. This wouldn't be enough so there should be regular inspections (a third eye) on these services. About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is a domain serving, founded by the victims of online banking crimes in Turkey.

Q4. What should OWASP be focusing on?

A4. As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5. What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5. Some suggestions; . Printed booklets of Guide and Testing Guide. . OWASP CD with shiny labels . I'm afraid to say but... t-shirts

Q6. Should OWASP organize such 'OWASP Weeks' every quarter?

A6. OWASP should organize these events every 6 months or so :)

Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)

As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event (Web Security Days) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:

  • 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR

  • 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ Chief Researcher CC Lab-UEKAE TUBITAK

  • 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER Chief Researcher PRO-G

  • 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

Last Event - 1st Web Security Days - July 14 (Turkey 2007)

First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

For details...

Last Meetings

Sunday 6 May 2007
Time: 11:15-12:30

Address to the meeting are:

Middle East Technical University


    Web Application Security with ModSecurity and OWASP