Difference between revisions of "Vancouver"

From OWASP
Jump to: navigation, search
(2012 Meetings: added may 2012 meeting)
(46 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Vancouver|extra=The chapter leader is [mailto:nrerup@pdbsec.com Neil Rerup]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-vancouver|emailarchives=http://lists.owasp.org/pipermail/owasp-vancouver}}
+
{{Chapter Template|chaptername=Vancouver|extra=The chapter leader is Yvan Boily (yvanboily at gmail.com).
 +
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-vancouver|emailarchives=http://lists.owasp.org/pipermail/owasp-vancouver}}
  
== Local News ==
+
== 2012 Meetings ==
 +
You can subscribe to the OWASP Vancouver Calendar [https://www.google.com/calendar/ical/osgb36r55fqlt3m10jc4e2ef70%40group.calendar.google.com/public/basic.ics here].
  
'''OWASP Moves to MediaWiki Portal - 11:40, 20 May 2006 (EDT)'''
+
=== May 2012 ===
  
OWASP is pleased to announce the arrival of OWASP 2.0!
+
'''OAuth-based single sign-on in Real-world Implementations'''
  
OWASP 2.0 utilizes the MediaWiki portal to manage and provide
+
'''Speaker:''' San-Tsai Sung
the latest OWASP related information. Enjoy!
+
 
 +
'''Date & Time:''' Monday, May 28th, 2012 @ 5:30pm
 +
 
 +
Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based
 +
single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open
 +
question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP
 +
websites that support the use of Facebook accounts for login.  Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer
 +
examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
 +
 
 +
'''Registration:''' Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP. If space runs out, preference will be given to those who have registered!
 +
 
 +
Please register at: [https://docs.google.com/spreadsheet/viewform?formkey=dHZSeTY1ZnFKTFo1elBRZ3BsenNvRnc6MQ here].
 +
''(Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)''
 +
 
 +
'''Location:'''
 +
Mozilla Vancouver, Suite 209, 163 West Hastings,
 +
Vancouver, BC (Buzzer code is in the directory)
 +
 
 +
 
 +
=== January 2012 ===
 +
 
 +
'''Outsourcing Identity: Understanding Privacy and Security in Identity Services'''
 +
 
 +
'''Speaker:''' Yvan Boily, Web Security Engineer, Mozilla Corporation
 +
 
 +
'''Date & Time:''' Monday, January 23rd, 2012 @ 5:30pm
 +
 
 +
Social Media has taken over the online world; what Microsoft attempted with Passport has been made reality by Facebook, Twitter, Google, and other service providers.  In addition to the proprietary identity services these platforms offer, several support protocols such as OpenID, This will be a one hour presentation that will contrast the security and privacy features available in major online identity protocols, and contrast these with Mozilla's BrowserID protocol.
 +
 
 +
'''Registration:'''  Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP.  If space runs out, preference will be given to those who have registered!
 +
 
 +
Please register [https://docs.google.com/spreadsheet/viewform?formkey=dHZSeTY1ZnFKTFo1elBRZ3BsenNvRnc6MQ here].
 +
''(Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)''
 +
 
 +
'''Location:'''
 +
Ping Identity,
 +
200 - 788 Beatty St,
 +
Vancouver
 +
 
 +
'''About Ping Identity
 +
'''
 +
Ping Identity has generously offered their downtown office space, located on the corner of Beatty and Robson, to host our chapters meetings moving forward. The office is 6000sq/ft of a mostly open floor plan, so we should be able to accommodate a large group.
 +
 
 +
 
 +
 
 +
[[Category:British Columbia]]

Revision as of 13:48, 24 May 2012

Contents

OWASP Vancouver

Welcome to the Vancouver chapter homepage. The chapter leader is Yvan Boily (yvanboily at gmail.com).
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

2012 Meetings

You can subscribe to the OWASP Vancouver Calendar here.

May 2012

OAuth-based single sign-on in Real-world Implementations

Speaker: San-Tsai Sung

Date & Time: Monday, May 28th, 2012 @ 5:30pm

Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.

Registration: Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP. If space runs out, preference will be given to those who have registered!

Please register at: here. (Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)

Location: Mozilla Vancouver, Suite 209, 163 West Hastings, Vancouver, BC (Buzzer code is in the directory)


January 2012

Outsourcing Identity: Understanding Privacy and Security in Identity Services

Speaker: Yvan Boily, Web Security Engineer, Mozilla Corporation

Date & Time: Monday, January 23rd, 2012 @ 5:30pm

Social Media has taken over the online world; what Microsoft attempted with Passport has been made reality by Facebook, Twitter, Google, and other service providers. In addition to the proprietary identity services these platforms offer, several support protocols such as OpenID, This will be a one hour presentation that will contrast the security and privacy features available in major online identity protocols, and contrast these with Mozilla's BrowserID protocol.

Registration: Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP. If space runs out, preference will be given to those who have registered!

Please register here. (Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)

Location: Ping Identity, 200 - 788 Beatty St, Vancouver

About Ping Identity Ping Identity has generously offered their downtown office space, located on the corner of Beatty and Robson, to host our chapters meetings moving forward. The office is 6000sq/ft of a mostly open floor plan, so we should be able to accommodate a large group.