Revision as of 05:09, 25 June 2008 by Bunyamin (talk | contribs)

Jump to: navigation, search

OWASP Turkey

Welcome to the Turkey chapter homepage. The chapter leader is Bedirhan Urgun
Click here to join the local chapter mailing list.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Chapter Members

Bunyamin Demir, Ferruh Mavituna, Mesut Timur, Yusuf Çeri,

Local News

Çeviri projesine yardım etmek isteyen arkadaşlar, lütfen iletişime geçiniz.


You can find Turkish translations of OWASP and other web security related documents here.

Artifacts - June 21 2008 OWASP-TR Talk in "Free Software Conference"

Here is the presentation given by Mesut Timur and keynote submitted at "Free Software Conference" in TOBB University of Economics and Technology; OWASP-TR Presentation and Web Security and Free Software Keynote (in Turkish) respectively.

Talk in Free Software Conference in Ankara

We'll be giving a talk in "Free Software Conference" about OWASP and OWASP/Turkey in TOBB University of Economics and Technology on 21st (Saturday) of June 2008. The talk will include an introduction to OWASP, OWASP/Turkey, as well as web/application security projects achieved in Turkey.

The Day will start at 09:30 and our talk, which will be presented by Mesut Timur, will be between 15.00-15.30. You can skim the programme here.

Artifacts - April 19 2008 OWASP-TR Talk in Yildiz Technical University

Here are the presentations given by Bünyamin Demir and Yusuf Çeri at "Open Source Code Day" in Yildiz Technical University, OWASP-TR Presentation and SqlDemo Presentation respectively. We'd like to thank YTÜ Bilişim Kulubü for inviting us.

And never the least, here are the pictures taken during the day.

Talk in Open Source Code Day in Yildiz Technical University

We'll be giving a talk in "Open Source Code Day" about OWASP and OWASP/Turkey in Yildiz Technical University on 19th of April 2008. The talk will include an introduction to OWASP, OWASP/Turkey, web/application security community in Turkey, the 1st OWASP Day video by Jeff and a live application insecurity demo.

The Day will start at 09:30 and our talk will be the last one before the noon.

Artifacts - March 09 2008 Meeting

It was a nice Sunday in Istanbul and we had 16 people talking about SPoC 08, April OWASP Week and web application security in general. Here are the pictures taken during the meeting.

March 09 Meeting

A casual meeting for anyone interested in web/software security. It will take place in Istanbul, Kadikoy at 14:30, on 09 March. To chat and enjoy the Bosphorus!

Artifacts - Web Security Days Ankara & İzmir November 2007

Through a foggy, and therefore a hard flight, we've managed to realize Web Security Days 2 & 3 in Ankara and Izmir, respectively. Having a total of ~130 attendees (most of them in Izmir), we hope WSD to be traditional and become more qualitysome.

Presentations & Code & Photos:

Next Event - 3rd Web Security Days İzmir - November 26 (Turkey 2007)

This event will be the third of "Web Security Days" and will take place on 26th of November 2007 in İzmir. The agenda of the event is here.

Next Event - 2nd Web Security Days Ankara - November 24 (Turkey 2007)

This event will be the second of "Web Security Days" and will take place on 24th of November 2007 in Ankara. The agenda of the event is here.

Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)


Discussion Answers:

Q1. What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1. During the meeting an effort was made to clarify the meaning of privacy;

- what are the key items that builds up to "privacy"?
- are we talking about the privacy of real people or should we also include the privacy of legal entities?
- is there really a solid line (or even a vague line) between confidentiality and privacy?

We defined privacy as confidentiality of the data; be it of a real person or a legal entity. But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions; The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2. Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2. Most of the participants agreed that a law is a necessity. But, maybe, more important thing is to raise the awareness of the customers. Here we also had a discussion on the current status of the law on privacy? There are mainly three documents on privacy in Turkish law;

* a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer)
* a draft law on privacy from Department of Justice, which is still in the process of approval
* a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the 
  European Parliament and of the Council" on the data retention. This law, however, still needs a few
  directives, which are about to be published.

Q3. Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3. As a first step there should be an "agreement" presented to the user by the application side. This wouldn't be enough so there should be regular inspections (a third eye) on these services. About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is a domain serving, founded by the victims of online banking crimes in Turkey.

Q4. What should OWASP be focusing on?

A4. As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5. What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5. Some suggestions; . Printed booklets of Guide and Testing Guide. . OWASP CD with shiny labels . I'm afraid to say but... t-shirts

Q6. Should OWASP organize such 'OWASP Weeks' every quarter?

A6. OWASP should organize these events every 6 months or so :)

Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007)

As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event (Web Security Days) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:

  • 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR

  • 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ Chief Researcher CC Lab-UEKAE TUBITAK

  • 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER Chief Researcher PRO-G

  • 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

Last Event - 1st Web Security Days - July 14 (Turkey 2007)

First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

For details...

Last Meetings

Sunday 6 May 2007
Time: 11:15-12:30

Address to the meeting are:

Middle East Technical University


    Web Application Security with ModSecurity and OWASP