https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=AndipannellOWASP - User contributions [en]2026-05-23T03:50:07ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Newcastle&diff=254912Newcastle2019-09-24T07:40:34Z<p>Andipannell: correction to potential December 2019 meetup</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
'''Next Event:'''<br />
<br />
03/12/2019<br />
<br />
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack].<br />
<br />
= Past Events =<br />
'''2019 Dates'''<br />
----<br />
<br />
23/09/2019 from 18:00 to 21:00 at Northumbria University, City Campus East<br />
<br />
'''Talk 1'''<br />
<br />
Title: Stalk Awareness<br />
<br />
Speaker: Cian (@nscrutables)<br />
<br />
Description: We often focus on nation states and corporation's role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed "stalkerware".<br />
<br />
This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I'll be examining these topics from both<br />
<br />
a technical and non-technical standpoint, based on many months of personal research.<br />
<br />
'''Talk 2'''<br />
<br />
Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - [https://www.owasp.org/images/c/cc/IntelligenceLedRiskManagement.pptx Slides]<br />
<br />
Speaker: Adam Pickering (<nowiki>https://twitter.com/Adam_P81</nowiki>)<br />
<br />
Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors<br />
----13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park<br />
<br />
Red Team versus Blue Team event<br />
<br />
'''Talk 1: Red Teaming a view from the field'''<br />
<br />
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)<br />
<br />
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.<br />
<br />
'''Talk 2: Protecting the museum – HIPS'''<br />
Speaker: Marek Banas<br />
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.<br />
<br />
Event is detailed here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]<br />
----26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.<br />
<br />
'''Talk 1: Matt Wixey (@darkartlab)'''<br />
<br />
The talk will be three smaller talks, covering: <br />
# Remote online social engineering (how attackers use catfishing techniques) <br />
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) <br />
# Attack linkage (using granular attack behaviours to link different cyber attacks)<br />
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''<br />
<br />
"Getting stakeholders on board".<br />
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?<br />
----'''2018 Dates'''<br />
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers:<br />
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' <br />
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). <br />
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015<br />
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
We held our first CTF (Capture The Flag) event.<br />
<br />
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]<br />
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers<br />
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=254911Newcastle2019-09-24T07:39:01Z<p>Andipannell: updated September 2019</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
'''Next Event:'''<br />
<br />
6/12/2019<br />
<br />
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack].<br />
<br />
= Past Events =<br />
'''2019 Dates'''<br />
----<br />
<br />
23/09/2019 from 18:00 to 21:00 at Northumbria University, City Campus East<br />
<br />
'''Talk 1'''<br />
<br />
Title: Stalk Awareness<br />
<br />
Speaker: Cian (@nscrutables)<br />
<br />
Description: We often focus on nation states and corporation's role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed "stalkerware".<br />
<br />
This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I'll be examining these topics from both<br />
<br />
a technical and non-technical standpoint, based on many months of personal research.<br />
<br />
'''Talk 2'''<br />
<br />
Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - [https://www.owasp.org/images/c/cc/IntelligenceLedRiskManagement.pptx Slides]<br />
<br />
Speaker: Adam Pickering (<nowiki>https://twitter.com/Adam_P81</nowiki>)<br />
<br />
Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors<br />
----13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park<br />
<br />
Red Team versus Blue Team event<br />
<br />
'''Talk 1: Red Teaming a view from the field'''<br />
<br />
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)<br />
<br />
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.<br />
<br />
'''Talk 2: Protecting the museum – HIPS'''<br />
Speaker: Marek Banas<br />
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.<br />
<br />
Event is detailed here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]<br />
----26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.<br />
<br />
'''Talk 1: Matt Wixey (@darkartlab)'''<br />
<br />
The talk will be three smaller talks, covering: <br />
# Remote online social engineering (how attackers use catfishing techniques) <br />
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) <br />
# Attack linkage (using granular attack behaviours to link different cyber attacks)<br />
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''<br />
<br />
"Getting stakeholders on board".<br />
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?<br />
----'''2018 Dates'''<br />
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers:<br />
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' <br />
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). <br />
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015<br />
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
We held our first CTF (Capture The Flag) event.<br />
<br />
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]<br />
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers<br />
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=File:IntelligenceLedRiskManagement.pptx&diff=254910File:IntelligenceLedRiskManagement.pptx2019-09-24T07:38:13Z<p>Andipannell: Talk by Adam Pickering about Intelligence Led Risk Management. Delivered at OWASP Newcastle in September 2019</p>
<hr />
<div>Talk by Adam Pickering about Intelligence Led Risk Management. Delivered at OWASP Newcastle in September 2019</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=253945Newcastle2019-08-20T10:14:20Z<p>Andipannell: update for September 2019 event</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
'''Next Event:'''<br />
<br />
23/09/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room to be confirmed<br />
<br />
1800 - 1815 | Arrival and networking<br />
<br />
1815 - 1820 | OWASP Newcastle Welcome<br />
<br />
1820 - 1920 | Talk 1<br />
<br />
1920 - 2000 | Pizza and networking<br />
<br />
2000 - 2045 | Talk 2<br />
<br />
2045 - onwards | Pub?<br />
<br />
'''Talk 1'''<br />
<br />
Title: Stalk Awareness<br />
<br />
Speaker: Cian (@nscrutables)<br />
<br />
Description: We often focus on nation states and corporation's role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed "stalkerware".<br />
<br />
This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I'll be examining these topics from both<br />
<br />
a technical and non-technical standpoint, based on many months of personal research.<br />
<br />
'''Talk 2'''<br />
<br />
Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management<br />
<br />
Speaker: Adam Pickering (<nowiki>https://twitter.com/Adam_P81</nowiki>)<br />
<br />
Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors<br />
<br />
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack].<br />
<br />
= Past Events =<br />
'''2019 Dates'''<br />
----13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park<br />
<br />
Red Team versus Blue Team event<br />
<br />
'''Talk 1: Red Teaming a view from the field'''<br />
<br />
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)<br />
<br />
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.<br />
<br />
'''Talk 2: Protecting the museum – HIPS'''<br />
Speaker: Marek Banas<br />
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.<br />
<br />
Event is detailed here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]<br />
----26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.<br />
<br />
'''Talk 1: Matt Wixey (@darkartlab)'''<br />
<br />
The talk will be three smaller talks, covering: <br />
# Remote online social engineering (how attackers use catfishing techniques) <br />
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) <br />
# Attack linkage (using granular attack behaviours to link different cyber attacks)<br />
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''<br />
<br />
"Getting stakeholders on board".<br />
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?<br />
----'''2018 Dates'''<br />
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers:<br />
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' <br />
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). <br />
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015<br />
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
We held our first CTF (Capture The Flag) event.<br />
<br />
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]<br />
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers<br />
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=252499Newcastle2019-06-20T12:24:44Z<p>Andipannell: archived June 2019 event</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
'''Next Event:'''<br />
<br />
Next event planned for September 2019.<br />
<br />
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack]. <br />
<br />
= Past Events =<br />
'''2019 Dates'''<br />
----13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park<br />
<br />
Red Team versus Blue Team event<br />
<br />
'''Talk 1: Red Teaming a view from the field'''<br />
<br />
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)<br />
<br />
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.<br />
<br />
'''Talk 2: Protecting the museum – HIPS'''<br />
Speaker: Marek Banas<br />
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.<br />
<br />
Event is detailed here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]<br />
----26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.<br />
<br />
'''Talk 1: Matt Wixey (@darkartlab)'''<br />
<br />
The talk will be three smaller talks, covering: <br />
# Remote online social engineering (how attackers use catfishing techniques) <br />
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) <br />
# Attack linkage (using granular attack behaviours to link different cyber attacks)<br />
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''<br />
<br />
"Getting stakeholders on board".<br />
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?<br />
----'''2018 Dates'''<br />
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers:<br />
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' <br />
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). <br />
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015<br />
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
We held our first CTF (Capture The Flag) event.<br />
<br />
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]<br />
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers<br />
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=251583Newcastle2019-05-15T08:26:04Z<p>Andipannell: added June 2019 meetup and archived Feb 2019</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
13/06/2019 from 18:00 to 21:00 at Eagle Lab Newcastle, Tus Park<br />
<br />
Red Team versus Blue Team event<br />
<br />
'''Talk 1: Red Teaming a view from the field'''<br />
<br />
Speakers: Andi Pannell (<nowiki>https://twitter.com/dr0idandy</nowiki>) , Robin Fewster (<nowiki>https://twitter.com/listenerstation</nowiki>), Gavin Johnson-Lynn (<nowiki>https://twitter.com/gav_jl</nowiki>)<br />
<br />
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.<br />
<br />
'''Talk 2: Protecting the museum – HIPS'''<br />
Speaker: Marek Banas<br />
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.<br />
<br />
"Tickets" available here: [https://www.meetup.com/OWASP-Newcastle-Chapter/events/260856686/ OWASP Newcastle Meetup June 2019]<br />
<br />
Keep updated and in touch using the [https://groups.google.com/a/owasp.org/forum/#!forum/newcastle-chapter chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle] and/or [https://owasp.slack.com/messages/C0CLHS45S Slack]. <br />
<br />
= Past Events =<br />
'''2019 Dates'''<br />
<br />
26/02/2019 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-403.<br />
<br />
'''Talk 1: Matt Wixey (@darkartlab)'''<br />
<br />
The talk will be three smaller talks, covering: <br />
# Remote online social engineering (how attackers use catfishing techniques) <br />
# Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors) <br />
# Attack linkage (using granular attack behaviours to link different cyber attacks)<br />
'''Talk 2: Kathryn Cardose (@AGeordieLass)'''<br />
<br />
"Getting stakeholders on board".<br />
* So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation.....how do you get stakeholders of all levels to buy in and support security?<br />
----'''2018 Dates'''<br />
----25/09/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers:<br />
* '''Andy Ferguson: "Don't tell your Big Brother" Encryption tips and tricks.''' <br />
* '''Gavin Johnson-Lynn: My Path to CSSLP.''' Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there). <br />
The event is detailed here: https://www.eventbrite.com/e/owasp-newcastle-september-2018-meetup-tickets-49842084015<br />
----26/06/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
We held our first CTF (Capture The Flag) event.<br />
<br />
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags. The event is detailed here: [https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994?aff=eac2 https://www.eventbrite.com/e/owasp-newcastle-june-2018-capture-the-flag-tickets-43192186994]<br />
----27/03/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-402.<br />
<br />
Speakers<br />
* '''Andi Pannell: The Internet of (broken) things.''' This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
* '''Colin Watson: An introduction to the OWASP automated threats to web applications.''' Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=237883Newcastle2018-02-19T19:35:00Z<p>Andipannell: fixed url for old my slides</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
<br />
Our next event will be held on 27th March 2018. 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024. <br />
<br />
''Talk 1: Andi Pannell''<br />
<br />
''The Internet of (broken) Things''<br />
<br />
Talk: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
<br />
''Talk 2: Colin Watson''<br />
<br />
''An introduction to The OWASP Automated Threats to Web Applications''<br />
<br />
Talk: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.<br />
<br />
This OWASP project researched these aspects in 2015 and created a new ontology of web application automation threats, and has been updated twice since with the most recent release in February 2018. This presentation will describe the need, how the threats were classified and names defined, and how they information can be used in the real world developing and operating web applications. Attendees to the OWASP Newcastle event will receive a printed copy of the handbook; the PDF handbook and all other outputs are free to download from the OWASP website.<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
'''2018 Dates'''<br />
----<br />
<br />
30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----'''2017 Dates'''<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers: <br />
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Robin Fewster|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=237536Newcastle2018-02-14T13:26:00Z<p>Andipannell: march 2018 meeting update</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
<br />
Our next event will be held on 27th March 2018. 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024. <br />
<br />
''Talk 1: Andi Pannell''<br />
<br />
''The Internet of (broken) Things''<br />
<br />
Talk: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.<br />
<br />
''Talk 2: Colin Watson''<br />
<br />
''An introduction to The OWASP Automated Threats to Web Applications''<br />
<br />
Talk: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.<br />
<br />
This OWASP project researched these aspects in 2015 and created a new ontology of web application automation threats, and has been updated twice since with the most recent release in February 2018. This presentation will describe the need, how the threats were classified and names defined, and how they information can be used in the real world developing and operating web applications. Attendees to the OWASP Newcastle event will receive a printed copy of the handbook; the PDF handbook and all other outputs are free to download from the OWASP website.<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2017 Dates'''<br />
<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]<br />
----<br />
<br />
'''2018 Dates'''<br />
<br />
----<br />
<br />
30/11/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=237196Newcastle2018-01-31T21:34:27Z<p>Andipannell: </p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
= Upcoming Events =<br />
<br />
Next event to be announced soon. <br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2017 Dates'''<br />
<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data.<br />
----<br />
<br />
'''2018 Dates'''<br />
<br />
----<br />
<br />
30/11/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=237195Newcastle2018-01-31T21:33:50Z<p>Andipannell: added slack channel</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Slack =<br />
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here] <br />
<br />
= Upcoming Events =<br />
<br />
Next event to be announced soon. <br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2017 Dates'''<br />
<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data.<br />
----<br />
<br />
'''2018 Dates'''<br />
<br />
----<br />
<br />
30/11/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=237194Newcastle2018-01-31T21:27:52Z<p>Andipannell: archive of Jan 2018</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Upcoming Events =<br />
<br />
Next event to be announced soon. <br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2017 Dates'''<br />
<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data.<br />
----<br />
<br />
'''2018 Dates'''<br />
<br />
----<br />
<br />
30/11/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.<br />
<br />
Speakers<br />
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=236816Newcastle2018-01-15T20:16:38Z<p>Andipannell: january 2018 event</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Upcoming Events =<br />
<br />
Our first meeting of 2018 will be held on 30 January 2018. Northumbria Law Building room CCE01-008. <br />
<br />
''Talk 1: Neil Dixley'' <br />
<br />
''Code that fights back''<br />
<br />
Talk: Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.<br />
<br />
''Talk 2: Luke Sadler''<br />
<br />
''Practical demonstration of mobile software penetration''<br />
<br />
Talk: Luke Sadler walks us through hands on examples of cracking mobile technology.<br />
<br />
Tickets are available https://www.eventbrite.com/e/owasp-newcastle-january-2018-meetup-tickets-42204092577<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
----<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]] <br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]] <br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]] <br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
----<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
----<br />
<br />
'''2017 Dates'''<br />
<br />
----<br />
<br />
19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers: <br />
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
----<br />
<br />
21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.<br />
<br />
Speakers:<br />
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data.<br />
----<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=236580Newcastle2018-01-03T23:07:20Z<p>Andipannell: uploaded Lorenzo Talk November 2017</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Upcoming Events =<br />
<br />
The next meeting will be held on 21st November Northumbria City Campus East, room CCE1-024 18:00 - 21:00.<br />
<br />
If you plan to attend please register via Eventbrite [https://www.eventbrite.com/e/owasp-newcastle-november-2017-meetup-tickets-39611579300 here]. Registration is not essential although it does help us to estimate the pizza order!<br />
<br />
First talk by '''Lorenzo Grespan''' he will be talking about '''Explain hacking in ten minutes''':<br />
<br />
Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology.<br />
<br />
Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.<br />
<br />
[[Media:OWASPNCL LG 21112017.pdf]]<br />
<br />
Pizza and networking<br />
<br />
Talk 2: '''Robin Sillem''' has a talk entitled '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data.<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' <br />
[[Media: OWASP_Honeypots.odp]]<br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.'''<br />
[[Media: OWASP_Security_Containerisation.ppt]]<br />
<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' <br />
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.<br />
[[Media: An_introduction_to_penetration_testing.pptx]]<br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' <br />
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.<br />
[[Media: Threat_Modeling_Presentation.pptx]]<br />
<br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
'''2017 Dates'''<br />
<br />
''Running a security event using OWASP Security Shepherd''<br />
<br />
In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
<br />
'''Talk 2: Mike Goodwin'''<br />
<br />
''Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon''<br />
<br />
Threat modeling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=File:OWASPNCL_LG_21112017.pdf&diff=236579File:OWASPNCL LG 21112017.pdf2018-01-03T23:04:37Z<p>Andipannell: </p>
<hr />
<div>Lorenzo Talk Newcastle November 2017</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=234653Newcastle2017-10-26T09:59:52Z<p>Andipannell: </p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Upcoming Events =<br />
<br />
The next meeting will be held on 21st November Northumbria City Campus East, room CCE1-024 18:00 - 21:00.<br />
<br />
First talk by '''Lorenzo Grespan''' he will be talking about '''Explain hacking in ten minutes''':<br />
<br />
Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology.<br />
<br />
Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' <br />
[[Media: OWASP_Honeypots.odp]]<br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.'''<br />
[[Media: OWASP_Security_Containerisation.ppt]]<br />
<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' <br />
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.<br />
[[Media: An_introduction_to_penetration_testing.pptx]]<br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' <br />
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.<br />
[[Media: Threat_Modeling_Presentation.pptx]]<br />
<br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
'''2017 Dates'''<br />
<br />
''Running a security event using OWASP Security Shepherd''<br />
<br />
In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
<br />
'''Talk 2: Mike Goodwin'''<br />
<br />
''Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon''<br />
<br />
Threat modeling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=234652Newcastle2017-10-26T09:58:44Z<p>Andipannell: updated Lorenzo's talk for 21/11/2017</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Upcoming Events =<br />
<br />
The next meeting will be held on 21st November Northumbria City Campus East, room CCE1-024 18:00 - 21:00.<br />
<br />
First talk by '''Lorenzo Grespan''' he will by talking about '''Explain hacking in ten minutes''':<br />
<br />
Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology.<br />
<br />
Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' <br />
[[Media: OWASP_Honeypots.odp]]<br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.'''<br />
[[Media: OWASP_Security_Containerisation.ppt]]<br />
<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' <br />
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.<br />
[[Media: An_introduction_to_penetration_testing.pptx]]<br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' <br />
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.<br />
[[Media: Threat_Modeling_Presentation.pptx]]<br />
<br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
'''2017 Dates'''<br />
<br />
''Running a security event using OWASP Security Shepherd''<br />
<br />
In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
<br />
'''Talk 2: Mike Goodwin'''<br />
<br />
''Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon''<br />
<br />
Threat modeling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=Newcastle&diff=233737Newcastle2017-09-25T16:32:00Z<p>Andipannell: added Andi Pannell to chapter leaders</p>
<hr />
<div>{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}<br />
<br />
= Next Meeting =<br />
<br />
TBC - watch this space! Expected December 2017 or January 2018.<br />
<br />
= Upcoming Events =<br />
<br />
Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
The long talk by '''Ben Lee''' and '''Ross Dargan''':<br />
<br />
'''The problems with proving identity.'''<br />
<br />
In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.<br />
<br />
The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*<br />
<br />
(*Talk may not be historically accurate! ;))<br />
<br />
[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]<br />
<br />
The short talks:<br />
<br />
'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''<br />
<br />
The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.<br />
<br />
Take a copy of the game away with you - it is suitable for developers of all sizes.<br />
<br />
[[Media: Owaspnewcastle-snakesandladders.pptx]]<br />
<br />
'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''<br />
<br />
This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.<br />
<br />
[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]<br />
<br />
'''Mike Goodwin - Real world defence in depth (part 1)'''<br />
<br />
Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.<br />
<br />
[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]<br />
<br />
----<br />
<br />
29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002<br />
<br />
We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).<br />
<br />
Speakers:<br />
<br />
* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]<br />
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]<br />
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]<br />
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]<br />
<br />
----<br />
<br />
28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' <br />
[[Media: OWASP_Honeypots.odp]]<br />
<br />
* '''George Chlapoutakis: Security in the World of Containerisation.'''<br />
[[Media: OWASP_Security_Containerisation.ppt]]<br />
<br />
----<br />
<br />
29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.<br />
<br />
Speakers:<br />
* '''Robin Fewster: An introduction to basic application penetration testing.''' <br />
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.<br />
[[Media: An_introduction_to_penetration_testing.pptx]]<br />
<br />
* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' <br />
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.<br />
[[Media: Threat_Modeling_Presentation.pptx]]<br />
<br />
----<br />
<br />
24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.<br />
<br />
Speakers: <br />
<br />
* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]<br />
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]<br />
<br />
----<br />
<br />
'''2016 Dates'''<br />
<br />
23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.<br />
<br />
Speakers: <br />
<br />
* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]<br />
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]<br />
<br />
'''2017 Dates'''<br />
<br />
''Running a security event using OWASP Security Shepherd''<br />
<br />
In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]<br />
<br />
'''Talk 2: Mike Goodwin'''<br />
<br />
''Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon''<br />
<br />
Threat modeling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Connor Carr|Connor Carr]]<br />
* [[User:Listenerstation|Robin Fewster]]<br />
* [[User:Michael Goodwin|Mike Goodwin]]<br />
* [[User:Andi Pannell|Andi Pannell]]<br />
<br />
We are always happy to hear from people who want to contribute to the chapter as a leader.<br />
<br />
= Sponsorship = <br />
<br />
The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.<br />
<br />
[[File:sage-logo.jpg]]<br />
<br />
Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:<br />
<br />
* Platinum sponsor (£1200)<br />
* Gold sponsor (£600)<br />
* Silver sponsor (£300)<br />
<br />
Any other donation is also gratefully received.<br />
<br />
= Local Organisations =<br />
<br />
Other related organisations in the Newcastle area:<br />
<br />
* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].<br />
<br />
Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Andipannellhttps://wiki.owasp.org/index.php?title=User:Andi_Pannell&diff=233736User:Andi Pannell2017-09-25T16:26:30Z<p>Andipannell: added main details</p>
<hr />
<div>I've worked in security professionally since 2014, after graduating from Northumbria University with an Ethical Hacking degree. I am currently working as a Penetration Tester at a security consultancy and based in the North East. I head up the Android mobile security service and I am a regular speaker and attendee of various security conferences worldwide.</div>Andipannellhttps://wiki.owasp.org/index.php?title=Mobile_Top_Ten_Contributions&diff=219177Mobile Top Ten Contributions2016-07-21T10:32:37Z<p>Andipannell: /* Wiki Content */</p>
<hr />
<div>This page is a work in progress. If we have omitted you, or incorrectly affiliated you, please contact us right away.<br />
<br />
== Project Leads ==<br />
<br />
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]<br />
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]<br />
* [mailto:jonthan.carter@owasp.org Jonathan Carter - Arxan Technologies]<br />
*[mailto:milan@owasp.org Milan Singh Thakur]<br />
<br />
== Strategic Roadmap ==<br />
<br />
[[Media:OWASP Mobile Top Ten 2015 - Strategy.pdf|Strategy Document]]<br />
<br />
== Wiki Content ==<br />
<br />
* [mailto:chad.butler@owasp.org Chad Butler - Concur Technologies]<br />
* [mailto:jonathan.carter@owasp.org Jonathan Carter - Arxan Technologies]<br />
* Ron Gutierrez - Gotham Digital Science<br />
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]<br />
* [mailto:paco@owasp.org Paco Hope - Cigital]<br />
* Zach Lanier<br />
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]<br />
* [mailto:andrew.pannell@owasp.org Andrew Pannell - Pentest Limited]<br />
* Rahil Parikh - Gotham Digital Science<br />
* Mike Zuzman<br />
*[mailto:milan@owasp.org Milan Singh Thakur]<br />
<br />
== Data Contributors ==<br />
<br />
* [http://www8.hp.com/us/en/software-solutions/fortify-on-demand-application-security/mobile-application-security.html HP Fortify]<br />
* [https://twitter.com/andresitoath Andreas Athanasoulias & Syntax IT]<br />
* [http://www.espheresecurity.com/ Hemil Shah and eSphere Security]<br />
* [http://www.riis.com/ Godfrey Nolan and RIIS (Research Into Internet Systems)]<br />
* [http://www.arxan.com/ Arxan Technologies]<br />
* [http://www.cigital.com/ Cigital]<br />
* [http://www.bugcrowd.com/ Bugcrowd]<br />
* [http://www.hacklabs.com/ Hacklabs]<br />
* [http://www.ibm.com/security/xforce/ IBM X-Force Threat Intelligence]<br />
* [http://www.krvw.com/ KRVW Associates]<br />
* [http://www.metaintelli.com/ MetaIntelli]<br />
* [http://www.purehacking.com/ Pure Hacking]<br />
* [http://www.securenetwork.it/ Secure Network]<br />
*[https://aujas.com/ Aujas Networks]<br />
<br />
== Data ==<br />
<br />
The 2015 data sets are stored at the below link:<br />
<br />
[https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0 https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0]<br />
<br />
== Synthesis ==<br />
<br />
Key observations and trends from the data can be found in here:<br />
<br />
* [[Media:OWASP Mobile Top Ten 2015 - Final Synthesis.pdf|Synthesis Document]]<br />
<br />
== Additional Thanks ==<br />
<br />
* Jim Manico</div>Andipannellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project&diff=193724OWASP Mobile Security Project2015-04-20T14:26:13Z<p>Andipannell: /* Contributors */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Mobile Security Project ==<br />
<br />
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.<br />
<br />
Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.<br />
<br />
<br/><br />
<br />
'''We have a Google Doc where anyone who wants to be involved with the project can add their thoughts, suggestions, and take ownership of initiatives - [https://docs.google.com/document/d/1bScrvrLJLOHcSbztjBxYoN-jN3kR8bViy9tF8Nx0c08/edit Click here]. There are various tasks that people have started over the past 6 months with varying levels of quality and completeness.'''<br />
<br />
This project is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads or feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well! <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks Project Email List]<br />
<br />
== Project Leaders ==<br />
{{Template:Contact | name = Mike Zusman<br />
| email = mike.zusman@owasp.org<br />
| username = schmoilito }}<br/><br />
{{Template:Contact<br />
| name = Tony DeLaGrange<br />
| email = mobisec@secureideas.net<br />
| username = Tony DeLaGrange<br />
}}<br/><br />
{{Template:Contact<br />
| name = Sarath Geethakumar<br />
| email = sarath.geethakumar@owasp.org<br />
| username = Sarath Geethakumar<br />
}}<br/><br />
{{Template:Contact<br />
| name = Tom Eston<br />
| email = teston@securestate.com<br />
}}<br/><br />
{{Template:Contact<br />
| name = Don Williams<br />
}}<br/><br />
{{Template:Contact<br />
| name = Jason Haddix<br />
| email = jason.haddix@hp.com<br />
| username = Jason Haddix<br />
}}<br/><br />
<br />
== Contributors ==<br />
{{Template:Contact<br />
| name = Zach Lanier<br />
| email = zach.lanier@n0where.org<br />
| username = Zach_Lanier<br />
}}<br/><br />
{{Template:Contact<br />
| name = Jim Manico<br />
| email = jim.manico@owasp.org<br />
| username = jmanico<br />
}}<br/><br />
{{Template:Contact<br />
| name = Ludovic Petit<br />
| email = ludovic.petit@owasp.org<br />
| username = Ludovic Petit<br />
}}<br/><br />
{{Template:Contact<br />
| name = Swapnil Deshmukh<br />
| email = sd.swapz@gmail.com<br />
| username = Swapnil Deshmukh<br />
}}<br/><br />
{{Template:Contact<br />
| name = Beau Woods<br />
| email = owasp@beauwoods.com<br />
| username = Beau Woods<br />
}}<br/><br />
{{Template:Contact<br />
| name = Jonathan Carter<br />
| email = jonathan.carter@owasp.org<br />
| username = Jonathan Carter<br />
}}<br/><br />
{{Template:Contact<br />
| name = David Martin Aaron<br />
| email = davidmartinaaron@gmail.com<br />
| username = David Martin Aaron<br />
}}<br/><br />
{{Template:Contact<br />
| name = Luca De Fulgentis<br />
| email = luca@securenetwork.it<br />
| username = Daath<br />
}}<br/><br />
{{Template:Contact<br />
| name = Milan Singh Thakur<br />
| email = milanthakur2010@gmail.com<br />
| username = Milan Singh Thakur<br />
}}<br/><br />
{{Template:Contact<br />
| name = Andrew Pannell<br />
| email = andrew.pannell@owasp.org<br />
| username = Andipannell<br />
}}<br />
|}<br />
<br />
= Top 10 Mobile Risks =<br />
<br />
Please visit the [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks project page] for current information. <br />
<br />
== About this list ==<br />
In 2013, we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape. <br />
<br />
<br />
Our goals for the 2014 list included the following:<br />
[[File:2014-01-26 20-23-29.png|right|550px]]<br />
* Updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc;<br />
* Generation of more data; and<br />
* A PDF release.<br />
<br />
This list has been finalized after a 90-day feedback period from the community. Based on feedback, we intend on releasing a Mobile Top Ten 2015 list following a similar approach of collecting data, grouping the data in logical and consistent ways.<br />
<br />
Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well! <br />
<br />
== Call to Action for 2015 ==<br />
We are currently looking for vendors, consultants, or other industry experts within the appsec community that are willing to participate in the OWASP Mobile Top Ten 2015. Participation could include any of the following: gathering data, promoting awareness, etc.<br />
<br />
We have published a [https://docs.google.com/viewer?a=v&pid=forums&srcid=MTM2MzA3NTkyMzA4NjgxNjcwNjQBMTU5NDg1NTE3NTg0NTgyOTMzOTgBUmEtcUZEUFNUVzRKATAuMQFvd2FzcC5vcmcBdjI Call for Data document] and have also (in the name of transparency) [https://docs.google.com/spreadsheets/d/16bW_VhEIlFU4cfN8BOOk40-XN93FM0f0Sxcx67NwPcg/edit?usp=sharing published a document] which lists which entities/vendors/individuals/etc that we have reached out to. These requests were made because we know these entities to be thought leaders in the mobile application space. If we missed you, and you have data or feedback to contribute, we apologize. Please email one of us!<br />
<br />
== Top 10 Mobile Risks - Final List 2014 ==<br />
[[File:2014-01-26 20-23-29.png|right|550px]]<br />
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]] <br />
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]<br />
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]<br />
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]<br />
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]<br />
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]<br />
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]<br />
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]<br />
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]<br />
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]<br />
<br />
== Project Leads, Credit, and Contributions ==<br />
<br />
* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''<br />
<br />
== Project Methodology ==<br />
<br />
* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''<br />
<br />
== Archive ==<br />
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks. &nbsp;This list was initially released on September 23, 2011 at Appsec USA. &nbsp;<br />
** The original presentation can be found here:&nbsp;[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br> <br />
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]<br />
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]<br />
<br />
<br />
= Mobile Tools =<br />
== iMAS ==<br />
<br />
iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.<br />
<br />
[https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project iMas Project Page]<br />
<br />
The source code for iMAS is available on GitHub: [https://github.com/project-imas/about iMAS Source Code]<br />
<br />
== GoatDroid ==<br />
<br />
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several features that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.<br />
<br />
As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.<br />
<br />
You can find GoatDroid on GitHub: [https://github.com/jackMannino/OWASP-GoatDroid-Project GoatDroid Source Code]<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project GoatDroid Project Page]<br />
<br />
== iGoat ==<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
[https://www.owasp.org/index.php/OWASP_iGoat_Project iGoat Project Page]<br />
<br />
The iGoat source code is available on Google Code [http://code.google.com/p/owasp-igoat/ iGoat Source Code]<br />
<br />
== Damn Vulnerable iOS Application ==<br />
<br />
Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.<br />
<br />
The current challenge categories:<br />
<br />
* Insecure Data Storage (4 exercises)<br />
* Jailbreak Detection (2 exercises)<br />
* Runtime Manipulation (3 exercises)<br />
* Transport Layer Security (1 exercise)<br />
* Client Side Injection (1 exercise)<br />
* Broken Cryptography (1 exercise)<br />
* Binary Patching (4 exercises)<br />
<br />
[http://damnvulnerableiosapp.com DVIA Home Page]<br />
<br />
[https://www.owasp.org/index.php/OWASP_DVIA DVIA OWASP Project Page]<br />
<br />
[https://github.com/prateek147/DVIA DVIA Github Source]<br />
<br />
[http://damnvulnerableiosapp.com/#learn DVIA Learning Resources]<br />
<br />
== MobiSec ==<br />
<br />
The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-based system from a DVD or USB flash drive, or run the test environment within a virtual machine. <br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec Project Page]<br />
<br />
MobiSec can be downloaded from Sourceforge: [http://sourceforge.net/p/mobisec/wiki/Home/ MobiSec Download Repository]<br />
<br />
== Androick ==<br />
<br />
Androick is a collaborative research project from PHONESEC Ltd. With our tool, you can evaluate some risks on Android mobile applications.<br />
Androick is a tool that allows any user to analyze an Android application. It can get the apk file, all the datas and the databases in sqlite3 and csv format. <br />
Only for Pentesters or Researchers.<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Androick_Project Androick Project Page]<br />
<br />
== NowSecure App Testing Community Edition ==<br />
<br />
The NowSecure App Testing Community Edition is the freely downloadable version of the powerful App Testing suite. Users are offered a number of features such as network capture, automation, import / export, and reporting to test and secure mobile apps.<br />
<br />
It provides the opportunity to complete mobile app security tests on any application on Android or iOS mobile devices (or installed in an emulator).<br />
<br />
The suite is provided as a preconfigured virtual machine (VM). After downloading the VM and licensing your version of the suite you will have everything you need to test the security of mobile apps.<br />
<br />
Built in emulator - Don’t have a device? No worries. The suite includes a built in Emulator that may be used to test the security of your mobile applications.<br />
<br />
[https://www.nowsecure.com/apptesting/community/ NowSecure App Testing Suite]<br />
<br />
== OWASP Seraphimdroid ==<br />
OWASP SeraphimDroid is educational, privacy and device protection application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid is also an application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge. <br />
<br />
[https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project page]<br />
<br />
[https://github.com/nikolamilosevic86/owasp-seraphimdroid OWASP Seraphimdroid code]<br />
<br />
[https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid OWASP Seraphimdroid on Google Play]<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Mobile Security Testing =<br />
<br />
== Introduction ==<br />
<br />
A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, a general mobile threat model can be used to assist test teams in creating a mobile security testing methodology for any platform. The outline which follows describes a general mobile application testing methodology which can be tailored to meet the security tester’s needs. It is high level in some places, and over time will be customized on a per-platform basis.<br />
<br />
This guide is targeted towards application developers and security testers. Developers can leverage this guide to ensure that they are not introducing the security flaws described within the guide. Security testers can use it as a reference guide to ensure that they are adequately assessing the mobile application attack surface. The ideal mobile assessment combines dynamic analysis, static analysis, and forensic analysis to ensure that the majority of the mobile application attack surface is covered. <br />
<br />
On some platforms, it may be necessary to have root user or elevated privileges in order to perform all of the the required analysis on devices during testing. Many applications write information to areas that cannot be accessed without a higher level of access than the standard shell or application user generally has. For steps that generally require elevated privileges, it will be stated that this is the case. <br />
<br />
This guide is broken up into three sections:<br />
*'''Information Gathering-''' describes the steps and things to consider when you are in the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.<br />
*'''Static Analysis'''- Analyzing raw mobile source code, decompiled or disassembled code. <br />
*'''Dynamic Analysis''' - executing an application either on the device itself or within a simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local interprocess communication surface, forensic analysis of the local filesystem, and assessing remote service dependencies.<br />
<br />
<br />
=== How To Use This Resource ===<br />
<br />
As this guide is not platform specific, you will need to know the appropriate techniques & tools for your target platform. The OWASP Mobile Security Project has also developed a number of other supporting resources which may be able to be leveraged for your needs.<br />
<br />
'''In this current draft release, the guide is a work in progress. We need additional contributors to help fill in the blanks. If you think something is missing (there certainly is), add it.'''<br />
<br />
As this guide is not platform specific, you will need to know the appropriate techniques & tools for your target platform. The OWASP Mobile Security Project has also developed a number of other supporting resources which may be able to be leveraged for your needs,<br />
<br />
The steps required to properly test an Android application are very different than those of testing an iOS application. Likewise, Windows Phone is very different from the other platforms. Mobile security testing requires a diverse skillset over many differing operating systems and a critical ability to analyze various types of source code.<br />
<br />
In many cases, a mobile application assessment will require coverage in all three areas identified within this testing reference. A dynamic assessment will benefit from an initial thorough attempt at Information Gathering, some level of static analysis against the application’s binary, and a forensic review of the data created and modified by the application’s runtime behavior.<br />
<br />
Please use this guide in an iterative fashion, where work in one area may require revisiting previous testing steps. As an example, after completing a transaction you may likely need to perform additional forensic analysis on the device to ensure that sensitive data is removed as expected and not cached in an undesired fashion. As you learn more about the application at runtime, you may wish to examine additional parts of the code to determine the best way to evade a specific control. Likewise, during static analysis it may be helpful to populate the application with certain data in order to prove or refute the existence of a security flaw.<br />
<br />
In the future, contributors to the testing guide should consider adding entries under each section relevant to a specific platform. Over time, OWASP contributors will write platform specific guides and expand upon this body of knowledge. <br />
<br />
If a specific area of interest is not covered in this guide, please feel free to either: <br />
<br />
*write the material yourself by registering for a wiki account and contributing content: [https://www.owasp.org/index.php/Special:RequestAccount Wiki Registration]<br />
*bring this up as a topic on the Mobile Project’s mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project Mobile Mailing List]<br />
<br />
Collaboration on building the guide is being performed within Google Docs. You can find the latest and greatest material here: [https://docs.google.com/document/m/?id=1N7zMXlFHtWfc00xa6lRHnVB60U4BZO4SbUrWYMbojVM&pli=1&login=1 Testing Guide Google Doc]<br />
<br />
== Information Gathering ==<br />
<br />
As a result of this initial information gathering exercise, the tester will be better prepared for the future testing phases. Testers, Developers and Security people often fail to take the time to learn the target application and supporting infrastructure, opting to dive in blind, possibly losing valuable time and missing possible attack vectors. Without a solid understanding of how the application “should” work as well as the technologies in use, the tester will not be able to identify when the application behaves in a manner that it “shouldn’t”.<br />
<br />
Prerequisites of this phase may require specific operating systems, platform specific software development kits (SDK’s), rooted or jailbroken devices, the ability to man-in-the-middle secure communications (i.e. HTTPS) and bypass invalid certificate checks.<br />
<br />
*Manually navigate through the running application to understand the basic functionality and workflow of the application. This can be performed on a real device or within a simulator/emulator. For deeper understanding of application functionality tester can proxy and sniff all network traffic from either a physical mobile device or an emulator/simulator recording and logging traffic (if your proxy tool permits logging, which most should).<br />
<br />
*Identify the networking interfaces used by the application, for instance:<br />
**Mobile Communication (GSM, GPRS, EDGE, LTE)<br />
**Wireless (Wi-Fi (802.11 standards), Bluetooth, NFC)<br />
**Virtual Interfaces (i.e. VPN)<br />
<br />
*Determine what the application supports for access 3G, 4G, wifi and or others<br />
<br />
*What networking protocols are in use?<br />
**Are secure protocols used where needed?<br />
**Can they be switched with insecure protocols?<br />
<br />
*Does the application perform commerce transactions?<br />
**Credit card transactions and/or stored payment information (certain industry regulations may be required (i.e. PCI DSS)).<br />
**In-app purchasing of goods or features<br />
**Make note for future phases to determine does the application store payment information? How is payment information secured?<br />
<br />
*Monitor and identify the hardware components that the application may potentially interact with<br />
**NFC<br />
**Bluetooth<br />
**GPS<br />
**Camera<br />
**Microphone<br />
**Sensors<br />
**USB<br />
<br />
*Perform open source intelligence gathering (search engines, source code repositories, developer forums, etc.) to identify source code or configuration information that may be exposed (i.e. 3rd party components integrated within the application)<br />
<br />
*What frameworks are in use?<br />
<br />
*Identify if the application appears to interact with any other applications, services, or data such as:<br />
**Telephony (SMS, phone)<br />
**Contacts<br />
**Auto correct / dictionary services<br />
**Receiving data from apps and other on-device services<br />
**Google Wallet<br />
**iCloud<br />
**Social networks (i.e. Facebook, Twitter, LinkedIn, Google+)<br />
**Dropbox<br />
**Evernote<br />
**Email<br />
**Etc.<br />
<br />
*Can you determine anything about the server side application environment?<br />
**Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)<br />
**Development environment (Rails, Java, Django, ASP.NET, etc.)<br />
**Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)<br />
**Any other APIs in use<br />
***Payment gateways<br />
***SMS messaging<br />
***Social networks<br />
***Cloud file storage<br />
***Ad networks<br />
<br />
*Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior<br />
**Leaking sensitive information (i.e. credentials) in the response<br />
**Resources not exposed through the UI<br />
**Error messages<br />
**Cacheable information<br />
<br />
<br />
== Static Analysis ==<br />
<br />
There are two primary ways static analysis will generally be performed on a mobile application: <br />
#Analyzing source code obtained from development team (prefered) <br />
#Using a compiled binary. <br />
<br />
Some level of static analysis should be performed for both dynamic and forensic analysis, as the application’s code will almost always provide valuable information to the tester (i.e. logic, backend targets, APIs, etc).<br />
<br />
In scenarios where the primary goal is to identify programmatic examples of security flaws, your best bet is to review pure source code as opposed to reverse engineering compiled software. For source code reviews, it is highly beneficial to have access to either a development or production instance of any web services. This includes both source code and a working test environment to perform the assessment within in order to expedite understanding of the code.<br />
<br />
=== Getting Started ===<br />
*If the source is not directly available, decompile or disassemble the application’s binary<br />
**extract the application from the device<br />
**follow the appropriate steps for your platform’s application reverse engineering<br />
**some applications may also require decryption prior to reverse engineering (note: decryption and code obfuscation are not the same thing)<br />
<br />
*Review the permissions the application requests as well as the resources that it is authorized to access (i.e. AndroidManifest.xml, iOS Entitlements or Windows Phone's WMAppManifest.xml)<br />
<br />
*Are there any easy to identify misconfigurations within the application found within the configuration files? Debugging flags set, world readable/writable permissions, etc.<br />
<br />
*What frameworks are in use? Is the application built using a cross-platform framework?<br />
<br />
*Identify the libraries in use including both platform provided as well as third party. Perform a quick review on the web to determine if these libraries:<br />
**are up to date<br />
**are free of vulnerabilities<br />
**expose functionality that requires elevated privileges (access to location or contact data)<br />
**native code<br />
<br />
*Does the application check for rooted/jailbroken devices? How is this done? How can this be circumvented? Is it as easy as changing the case of a file name or name of executable or path?<br />
<br />
*Determine what types of objects are implemented to create the various views within the application. This may significantly alter your test cases, as some views implement web browser functionality while others are native UI controls only.<br />
<br />
*Is all code expected to run within the platform’s standard runtime environment, or are some files/libraries dynamically loaded or called outside of that environment at runtime?<br />
<br />
*Attempt to match up every permission that the application requests with an actual concrete implementation of it within the application. Often, developers request more permission than they actually need. Identify if the same functionality could be enabled with lesser privileges.<br />
<br />
*Locate hard coded secrets within the application such as API keys, credentials, or proprietary business logic.<br />
<br />
*Identify every entry point for untrusted data entry and determine how it enforces access controls, validates and sanitizes inbound data, and passes the data off to other interpreters<br />
**From web service calls<br />
**Receiving data from other apps and on-device services<br />
**Inbound SMS messages<br />
**Reading information from the filesystem<br />
<br />
=== Authentication ===<br />
<br />
*Locate the code which handles user authentication through the UI. Assess the possible methods of user impersonation via vectors such as parameter tampering, replay attacks, and brute force attacks.<br />
<br />
*Check if authentication is done online/offline. Sometimes authentication is done offline, so here you can try SQLi to bypass authentication.<br />
<br />
*Determine if the application utilizes information beyond username/password such as<br />
**contextual information (i.e.- device identifiers, location)<br />
**certificates<br />
**tokens<br />
<br />
*Does the application utilize visual swipe or touch passwords vs. conventional usernames and passwords?<br />
**Assess the method of mapping the visual objects to an authentication string to determine if adequate entropy exists<br />
<br />
*Does the application implement functionality that permits inbound connections from other devices? (i.e.- Wi-Fi Direct, Android Beam, network services)<br />
**Does the application properly authenticate the remote user or peer prior to granting access to device resources?<br />
**How does the application handle excessive failed attempts at authentication?<br />
**are failed attempts logged?<br />
**what mechanisms exist to inform the user of a potential attack?<br />
<br />
*Is there account lockout implemented for limited invalid login attempts?<br />
**How many invalid attempts are allowed?<br />
**Does application handles DOS performed using account lockout feature?<br />
**How does it unlock the user account? <br />
<br />
*Single Sign On, e.g.<br />
**OAuth<br />
**Facebook<br />
**Google Apps<br />
<br />
*SMS<br />
**How is the sender authenticated?<br />
***password<br />
***header information<br />
***Other mechanism?<br />
**Are one time passwords (OTP) used or is other sensitive account data transmitted via SMS?<br />
***Can other applications access this data?<br />
**What if attacker tampers OTP using gprs modem?<br />
**Can application validate the tampered OTP?<br />
<br />
*USSD<br />
**Does application use USSD/Flash messages to authenticate use?<br />
***USSD based authentication is more reliable than SMS<br />
<br />
*Push Notifications<br />
**If the application consumes information via push notifications, how does the application verify the identity of the sender?<br />
<br />
=== Authorization ===<br />
*Review file permissions for files created at runtime<br />
<br />
*Determine if it is possible to access functionality not intended for your role<br />
<br />
**Identify if the application has role specific functionality within the mobile application<br />
<br />
**Locate any potential flags or values that may be set on the client from any untrusted source that can be a point of privilege elevation such as<br />
***databases<br />
***flat files<br />
***HTTP responses<br />
<br />
**Find places within an application that were not anticipated being directly accessed without following the application’s intended workflow<br />
<br />
*Licensing<br />
**Can licensing checks be defeated locally to obtain access to paid-for data resources? (i.e.- patching a binary, modifying it at runtime, or by modifying a local configuration file)<br />
**Does the code suggest that licensed content is served with a non-licensed app but restricted by UI controls only?<br />
**Are licensing checks performed properly by the server or platform licensing services?<br />
**How does the application detect and respond to tampering?<br />
***Are alerts sent to and expected by the developer?<br />
***Does the application fail open or fail closed?<br />
***Does the application wipe its data?<br />
<br />
=== Session Management ===<br />
<br />
*Ensure that sessions timeout locally as well as server side.<br />
**Make sure Session Timeout is set to minimal value.<br />
<br />
*Is sensitive information utilized within the application flushed from memory upon session expiration?<br />
<br />
*No Session IDs should be passed in URL, ensure usage of POST method or hidden fields.<br />
<br />
*Detect Session Fixation/Tampering on Server Side.<br />
<br />
*Ensure Session tokens are randomized and are not guessable or in sequence.<br />
<br />
=== Data Storage ===<br />
<br />
*Encryption<br />
**Are the algorithms used “best of breed” or do they contain known issues?<br />
**How are keys derived from i.e. a password?<br />
**Based on the algorithms and approaches used to encrypt data, do implementation issues exist that degrade the effectiveness of encryption?<br />
**How are keys managed and stored on the device? Can this reduce the complexity in breaking the encryption?<br />
<br />
*Identify if the application utilizes storage areas external to the “sandboxed” locations to store unencrypted data such as:<br />
**Places with limited access control granularity (SD card, tmp directories, etc.)<br />
**Directories that may end up in backups or other undesired locations (iTunes backup, external storage, etc.)<br />
**Cloud storage services such as Dropbox, Google Drive, or S3<br />
<br />
*Does the application write sensitive information to the file system at any point, such as:<br />
**Credentials<br />
***Username and/or password<br />
***API keys<br />
***Authentication tokens<br />
**Payment information<br />
**Patient data<br />
**Signature files<br />
<br />
*Is sensitive information written to data stores via platform exposed APIs such as contacts?<br />
<br />
=== Information Disclosure ===<br />
<br />
*Logs<br />
**Does the application log data? Is sensitive information accessible?<br />
**How are the logs accessed, if so, and by which mechanism/functionality? Is log access protected?<br />
**Can any of the logged information be considered a privacy violation?<br />
**Is the device identifier sent that could be used to identify the user? (i.e.UDID in Apple devices)<br />
**Does the application upload any log file to the server?<br />
***Is the log file extension validated before upload?<br />
***Is the content of the log file validated before upload? What if malicious code is embedded in log file?<br />
<br />
*Caches<br />
**Predictive text<br />
**Location information<br />
**Copy and paste<br />
**Application snapshot<br />
**Browser cache<br />
**Non-standard cache locations (i.e the various SQLite databases that apps can create if they use HTML UI components)<br />
**Are HTTPS responses being cached?<br />
<br />
*Exceptions<br />
**Does sensitive data leak in crash logs?<br />
**How does application handle data/logs outside its container?<br />
<br />
*Third Party Libraries and APIs<br />
**What permissions do they require?<br />
**Do they access or transmit sensitive information?<br />
Review licensing requirements for any potential violations.<br />
**Can their runtime behavior expose users to privacy issues and unauthorized tracking?<br />
<br />
=== Web Application Issues ===<br />
<br />
*XSS and HTML Injection<br />
**Identify places where the application passes untrusted data into a web view or browser<br />
**Determine if the application properly output encodes or sanitizes the data within the appropriate context<br />
*OS Command Injection (if the application utilizes a shell)<br />
**Where the application permits usage of the shell, identify the entry points to manipulate or alter the commands via user input or external untrusted data<br />
**Determine if an attacker can inject arbitrary commands or manipulate the intended command in any way<br />
*CSRF<br />
*SQL Injection<br />
*Cookies<br />
*HTML5<br />
*XML Injection<br />
*Check Cross Domain Policy<br />
<br />
=== Networking ===<br />
<br />
*Are insecure protocols used to send or receive sensitive information? Examples- FTP, SNMP v1, SSH v1<br />
<br />
*Are there any known issues with the specific libraries you are using to implement the protocol?<br />
<br />
=== Transport Layer Protection ===<br />
*Does the application properly implement Certificate Pinning?<br />
<br />
*Are certificates validated to determine if:<br />
**The certificate has not expired<br />
**The certificate was issued by a valid certificate authority<br />
**The remote destination information matches the information within the certificate?<br />
<br />
*Are certificates validated only by the operating system or also by the application that relies on it?<br />
<br />
*Identify if code exist to alter the behavior for traffic transiting different interfaces (i.e.- 3G/4G comms vs. Wi-Fi)? If so, is encryption applied universally across each of them<br />
<br />
<br />
<br />
=== Helpful Search Strings and Regular Expressions ===<br />
<br />
*DEBUG<br />
*printStackTrace<br />
*username/userID/password/passwd/pwd/<br />
*key/encrypt/decrypt/MD5/MD4<br />
*timeout/session.invalidate<br />
*root/jailbreak<br />
*test/demo/<br />
*sqlconnection/sqlevents/sqldemo/sqlconn/sqltest<br />
*account/URL/hostname/ipaddress<br />
*proxy<br />
<br />
== Dynamic Analysis ==<br />
<br />
Armed with data collected during the Information Gathering and Static Analysis phases, the tester can begin an informed vulnerability assessment of the mobile application client, server and associated services.<br />
<br />
Dynamic analysis is conducted against the backend services and APIs and the type of tests varies depending on mobile application type.<br />
<br />
=== Application Types ===<br />
<br />
*Native Mobile Application: Native mobile applications can be installed on to the device. This type of applications generally store most of their code on the device. Any information required can be requested to the server using the HTTP/s protocol<br />
<br />
*Web services for Mobile Application: Native mobile application that uses SOAP or REST based web services to communicate between client and Server<br />
<br />
*Mobile Browser Based Application: Web browser based applications can be accessed using device’s browsers such as Safari or Chrome. Most of the commercial applications are nowadays specifically designed and optimized for mobile browsers. These applications are no different than traditional web application and all the web application vulnerabilities apply to these apps and these should be tested as traditional web apps.<br />
<br />
*Mobile Hybrid Applications:Applications can leverage web browser functionality within native applications, blending the risks from both classes of applications.<br />
<br />
In this phase, the mobile client, backend services, and host platform is analyzed/scanned in attempt to uncover potential risks, vulnerabilities and threats. The use of an intercepting proxy tool as well as automated vulnerability scanners are core to this phase. In many cases, you will also need some type of shell access to the device.<br />
<br />
The following outline can be used as a “Dynamic Analysis” guide in planning a mobile assessment.<br />
<br />
=== Establishing a Baseline ===<br />
<br />
*Generate File System Baseline Fingerprint (before app installation)<br />
**Application interactions with the host file system must be reviewed and analyzed at various stages of testing; starting with baseline capture. This may require a shell or GUI depending on platform and/or preference.<br />
<br />
*Install, Configure and Use the Application<br />
**Manually inspect the file system to determine what files/databases were created, what and how data is stored. Did the application store sensitive data unencrypted or trivially protected (i.e. encoded)?<br />
**Generally, pay attention to credentials, payment information, or other highly sensitive information being saved to the device. Also take a look at databases, log files, predictive text caches, and crash logs.<br />
<br />
=== Debugging ===<br />
<br />
*Attach a debugger to an application to step through code execution and setting breakpoints at interesting code within the application<br />
<br />
*Monitor logged messages and notifications generated at runtime<br />
<br />
*Observe interprocess communications between the target application and other applications and services running on the mobile device.<br />
<br />
=== Active Testing ===<br />
<br />
==== Local Testing ====<br />
<br />
*Exposed IPC interfaces<br />
**Sniff<br />
**Fuzz<br />
**Bypass authorization checks<br />
<br />
===== Cryptography =====<br />
<br />
*Brute force attacks against keys, pins, and hashes<br />
*Attempt to reconstruct encrypted data through recovery of keys, hardcoded secrets, and any other information exposed by the application<br />
<br />
===== Web Applications =====<br />
<br />
*XSS and HTML Injection<br />
**Is it possible to inject client side code (i.e. JavaScript) or HTML into the application to either modify the inner working of the application or it's user interface?<br />
<br />
*Command Injection (if the application utilizes a shell)<br />
<br />
*CSRF<br />
<br />
*SQL Injection<br />
<br />
*Cookies<br />
**Are cookies issued by a server secured by using the HTTP-only and Secure flag?<br />
**Is there any sensitive information stored in the cookies?<br />
<br />
*HTML5 Storage<br />
<br />
===== Authentication =====<br />
<br />
*Assess the methods an application uses to authenticate peers<br />
**NFC<br />
**SMS<br />
**Push notifications<br />
**Across IPC channels (identify the calling application’s privileges and identity)<br />
<br />
===== Authorization =====<br />
*Instrument, patch, or interact with application at runtime to bypass methods intended to prevent usage of privileged or premium features<br />
<br />
*Determine if configuration or locally stored data can be manipulated in order to elevate a user’s privileges<br />
<br />
*Check the filesystem permissions for any files created at runtime<br />
<br />
===== File System Analysis =====<br />
<br />
*Assess the application’s behavior throughout it’s lifecycle to determine if special functionality is triggered to persist an application’s state when it enters different stages:<br />
**Placed into the foreground<br />
**Sent into the background<br />
**Upon exiting the application<br />
<br />
*Data storage in Cache<br />
<br />
*Looking for artifacts left on device<br />
<br />
*Unencrypted data storage on the device<br />
<br />
*Encryption of data in backups<br />
<br />
*Username/password, or app-specific unique device id stored on the device<br />
<br />
*Application Permissions , Privileges and Access controls on the device<br />
<br />
*Generally, pay attention to credentials, payment information, or other highly sensitive information being saved to the device. Also take a look at log files, predictive text caches, and crash logs.<br />
<br />
*Is sensitive information cached within the application’s UI back stack?<br />
<br />
*Utilize forensic tools to determine if deleted data can be recovered from the filesystem as well as within databases<br />
<br />
===== Memory Analysis =====<br />
<br />
*Determine if sensitive information persists within memory after performing the following actions:<br />
**Logging out of the application<br />
**Transition between UI components<br />
<br />
*Is it possible to obtain encryption keys, credentials, payment information and other sensitive information by dumping device or application memory?<br />
<br />
==== Remote Application/Service Testing ====<br />
<br />
===== Authentication =====<br />
<br />
*What methods are available (3G, 4G, Wifi, etc)?<br />
<br />
*What happens if the remote authentication service becomes unavailable?<br />
<br />
*Assess strength of password requirements<br />
<br />
*Test how account lockouts are implemented<br />
<br />
*Analyze (monitor traffic) how each method performs authentication. Note target wifi as this is a common area where authentication can be weak. Ensure authentication is robust and not based on trivial attributes (i.e. MDN, ESN, etc).<br />
<br />
*Verify that authentication tokens are terminated after a user initiates a password reset<br />
<br />
*Single Sign On (SSO)<br />
<br />
*SMS Based<br />
**One Time Passwords (OTP)<br />
**Two Factor Authentication<br />
<br />
*Push Notifications<br />
<br />
*Licensing<br />
<br />
===== Authorization =====<br />
<br />
*What happens if the remote authorization handling service becomes unavailable?<br />
<br />
*Test if direct access to backend resources is possible<br />
<br />
*Access controls to server side resources not enforced<br />
<br />
*Vertical and horizontal privilege escalation<br />
<br />
===== Session Management =====<br />
<br />
*Entropy analysis<br />
*Device identifier related?<br />
*Are session tokens refreshed between logouts?<br />
*Lifetime and expiration<br />
*Handling the session token on the device (stored, in memory, etc.)<br />
*Privilege Escalation<br />
*Ineffective Session Termination<br />
*Session Fixation<br />
*Pre-login/Login/Post-login Session checks<br />
*Unique Session Generation<br />
<br />
===== Transport Layer Testing =====<br />
*Man-in-the-middle attacks<br />
*Eavesdropping<br />
*SSL checks (cypher strengths/weakness etc.)<br />
*SSL Striping<br />
<br />
===== Server Side Attacks =====<br />
<br />
*Triggering unhandled exceptions<br />
*Cross-Site Scripting<br />
*SQL Injection<br />
*XML Bombs<br />
*Buffer overflow<br />
*Unrestricted File Upload<br />
*Open Redirect<br />
*Cross Origin Resource Sharing<br />
<br />
===== Server, Network & Application Scanning =====<br />
<br />
*Based on prior phases you should have 1 or more target servers (i.e. URLs) as candidates for automated vulnerability scanning. Mobile applications often leverage existing web services/applications (i.e. hybrid applications) which must be tested for security vulnerabilities.<br />
<br />
===== Conclusion =====<br />
<br />
Mobile applications are continuing to mature and evolve thus to be effective, security testers must strive to advance their knowledge and skills. Please check back periodically for updates and share your feedback with us.<br />
<br />
= Mobile Cheat Sheet =<br />
== Mobile Cheat Sheet Series ==<br />
<br />
Cheat sheets provide the information most relevant to a developer or security engineer with minimal "fluff". The goal of the project is to build a collection of cheat sheets that provide actionable, useful, and straight to the point guidance for a plethora of mobile security issues.<br />
<br />
== Platform Agnostic ==<br />
<br />
[https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet Mobile Jailbreaking Cheat Sheet]<br />
<br />
== Android ==<br />
<br />
== iOS ==<br />
<ul><br />
<li>[https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet iOS Developer Cheat Sheet]</li><br />
<li>[https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet iOS Application Security Testing Cheat Sheet]</li><br />
</ul><br />
<br />
== Windows Phone (Developer Unlock) ==<br />
<br />
Developer Unlock:<br />
You need to have machine with Windows 8 64-bit OS in it.<br />
Connect your phone to Win8 machine using USB cable and start Visual Studio 2013 (with Windows Mobile package installed).<br />
Go to Tool Windows Phone 8.1 Developer Unlock.<br />
<br />
<br />
XAP file deployment and Local Storage Check on Windows Mobile with OS 8+ <br />
1. You need to have machine with Windows 8 64-bit OS running in it.<br />
2. Install Windows 8 power tools (WP8).<br />
Download WP8 here: http://wptools.codeplex.com/<br />
3. Connect your Windows Phone to Win8 machine using USB cable and WP8 will detect your device.<br />
4. You can now: install XAP files, update XAP files, check local storage (isolated storage), and get various attributes.<br />
<br />
== RIM ==<br />
<br />
= Secure Mobile Development =<br />
'''Secure Mobile Development Guidelines Objective'''<br />
<br />
The OWASP Secure Development Guidelines provides developers with the knowledge they need to build secure mobile applications. An extendable framework will be provided that includes the core security flaws found across nearly all mobile platforms. It will be a living reference where contributors can plug in newly exposed APIs for various platforms and provide good/bad code examples along with remediation guidance for those issues.<br />
<br />
== Mobile Application Coding Guidelines ==<br />
The purpose of this section is to provide application developers guidelines on how to build secure mobile applications, given the differences in security threat between applications running on a typical desktop as compared to those running on a mobile device (such as tablets or cell phones). <br />
<br />
Using the guidance provided here, developers should code their applications to mitigate these malicious attacks. While more general coding guidelines should still be followed as applicable, this page lists additional considerations and/or modifications to common guidelines and is written using the best knowledge available at this time.<br />
<br />
=== Authentication and Password Management ===<br />
This is a set of controls used to verify the identity of a user, or other entity, interacting with the software, and also to ensure that applications handle the management of passwords in a secure fashion.<br />
<ol type="a"><br />
<li> Instances where the mobile application requires a user to create a password or PIN (say for offline access), the application should never use a PIN but enforce a password which follows a strong password policy.<br />
<li> Mobile devices may offer the possibility of using password patterns which are never to be utilized in place of passwords as sufficient entropy cannot be ensured and they are easily vulnerable to smudge-attacks.<br />
<li> Mobile devices may also offer the possibility of using biometric input to perform authentication which should never be used due to issues with false positives/negatives, among others.<br />
<li> Wipe/clear memory locations holding passwords directly after their hashes are calculated.<br />
<li> Based on risk assessment of the mobile application, consider utilizing two-factor authentication.<br />
<li> For device authentication, avoid solely using any device-provided identifier (like UID or MAC address) to identify the device, but rather leverage identifiers specific to the application as well as the device (which ideally would not be reversible). For instance, create an app-unique “device-factor” during the application install or registration (such as a hashed value which is based off of a combination of the length of the application package file itself, as well as the current date/time, the version of the OS which is in use, and a randomly generated number). In this manner the device could be identified (as no two devices should ever generate the same “device-factor” based on these inputs) without revealing anything sensitive. This app-unique device-factor can be used with user authentication to create a session or used as part of an encryption key.<br />
<li> In scenarios where offline access to data is needed, add an intentional X second delay to the password entry process after each unsuccessful entry attempt (2 is reasonable, also consider a value which doubles after each incorrect attempt).<br />
<li> In scenarios where offline access to data is needed, perform an account/application lockout and/or application data wipe after X number of invalid password attempts (10 for example).<br />
<li> When utilizing a hashing algorithm, use only a NIST approved standard such as SHA-2 or an algorithm/library.<br />
<li> Salt passwords on the server-side, whenever possible. The length of the salt should at least be equal to, if not bigger than the length of the message digest value that the hashing algorithm will generate. <br />
<li> Salts should be sufficiently random (usually requiring them to be stored) or may be generated by pulling constant and unique values off of the system (by using the MAC address of the host for example or a device-factor; see 3.1.2.g.). Highly randomized salts should be obtained via the use of a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). When generating seed values for salt generation on mobile devices, ensure the use of fairly unpredictable values (for example, by using the x,y,z magnetometer and/or temperature values) and store the salt within space available to the application.<br />
<li> Provide feedback to users on the strength of passwords during their creation.<br />
<li> Based on a risk evaluation, consider adding context information (such as IP location, etc…) during authentication processes in order to perform Login Anomaly Detection.<br />
<li> Instead of passwords, use industry standard authorization tokens (which expire as frequently as practicable) which can be securely stored on the device (as per the OAuth model) and which are time bounded to the specific service, as well as revocable (if possible server side).<br />
<li> Integrate a CAPTCHA solution whenever doing so would improve functionality/security without inconveniencing the user experience too greatly (such as during new user registrations, posting of user comments, online polls, “contact us” email submission pages, etc…).<br />
<li> Ensure that separate users utilize different salts.<br />
</ol><br />
<br />
=== Code Obfuscation ===<br />
This is a set of controls used to prevent reverse engineering of the code, increasing the skill level and the time required to attack the application.<br />
<br />
<ol type="a"><br />
<li>Abstract sensitive software within static C libraries.<br />
<li> Obfuscate all sensitive application code where feasible by running an automated code obfuscation program using either 3rd party commercial software or open source solutions.<br />
<li> For applications containing sensitive data, implement anti-debugging techniques (e.g. prevent a debugger from attaching to the process; android:debuggable=”false”).<br />
<li> Ensure logging is disabled as logs may be interrogated other applications with readlogs permissions (e.g. on Android system logs are readable by any other application prior to being rebooted).<br />
<li> So long as the architecture(s) that the application is being developed for supports it (iOS 4.3 and above, Android 4.0 and above), Address Space Layout Randomization (ASLR) should be taken advantage of to hide executable code which could be used to remotely exploit the application and hinder the dumping of application’s memory.<br />
</ol><br />
<br />
=== Communication Security ===<br />
This is a set of controls to help ensure the software handles the sending and receiving of information in a secure manner.<br />
<br />
<ol type="a"><br />
<li>Assume the provider network layer is insecure. Modern network layer attacks can decrypt provider network encryption, and there is no guarantee a Wi-Fi network (if in-use by the mobile device) will be appropriately encrypted.<br />
<li> Ensure the application actually and properly validates (by checking the expiration date, issuer, subject, etc…) the server’s SSL certificate (instead of checking to see if a certificate is simply present and/or just checking if the hash of the certificate matches). To note, there are third party libraries to assist in this; search on “certificate pinning”.<br />
<li> The application should only communicate with and accept data from authorized domain names/systems. It is permissible to allow application updates which will modify the list of authorized systems and/or for authorized systems to obtain a token from an authentication server, present a token to the client which the client will accept.<br />
<li> To protect against attacks which utilize software such as SSLStrip, implement controls to detect if the connection is not HTTPS with every request when it is known that the connection should be HTTPS (e.g. use JavaScript, Strict Transport Security HTTP Header, disable all HTTP traffic).<br />
<li> The UI should make it as easy as possible for the user to find out if a certificate is valid (so the user is not totally reliant upon the application properly validating any certificates). <br />
<li> When using SSL/TLS, use certificates signed by trusted Certificate Authority (CA) providers.<br />
</ol><br />
<br />
=== Data Storage and Protection ===<br />
This is a set of controls to help ensure the software handles the storing and handling of information in a secure manner. Given that mobile devices are mobile, they have a higher likelihood of being lost or stolen which should be taken into consideration here. <br />
<br />
<ol type="a"><br />
<li>Only collect and disclose data which is required for business use of the application. Identify in the design phase what data is needed, its sensitivity and whether it is appropriate to collect, store and use each data type.<br />
<li> Classify data storage according to sensitivity and apply controls accordingly (e.g. passwords, personal data, location, error logs, etc.). Process, store and use data according to its classification<br />
<li> Store sensitive data on the server instead of the client-end device, whenever possible. Assume any data written to device can be recovered.<br />
<li> Beyond the time required by the application, don’t store sensitive information on the device (e.g. GPS/tracking).<br />
<li> Do not store temp/cached data in a world readable directory. Assume shared storage is untrusted.<br />
<li> Encrypt sensitive data when storing or caching it to non-volatile memory (using a NIST approved encryption standard such as AES-256, 3DES, or Skipjack).<br />
<li> Use the PBKDF2 function to generate strong keys for encryption algorithms while ensuring high entropy as much as possible. The number of iterations should be set as high as may be tolerated for the environment (with a minimum of 1000 iterations) while maintaining acceptable performance.<br />
<li> Sensitive data (such as encryption keys, passwords, credit card #’s, etc…) should stay in RAM for as little time as possible.<br />
<li> Encryption keys should not remain in RAM during the instance lifecycle of the app. Instead, keys should be generated real time for encryption/decryption as needed and discarded each time.<br />
<li> So long as the architecture(s) that the application is being developed for supports it (iOS 4.3 and above, Android 4.0 and above), Address Space Layout Randomization (ASLR) should be taken advantage of to limit the impact of attacks such as buffer overflows.<br />
<li> Do not store sensitive data in the keychain of iOS devices due to vulnerabilities in their cryptographic mechanisms.<br />
<li> Ensure that sensitive data (e.g. passwords, keys etc.) are not visible in cache or logs.<br />
<li> Never store any passwords in clear text within the native application itself nor on the browser (e.g. save password feature on the browser).<br />
<li> When displaying sensitive information (such as full account numbers), ensure that the sensitive information is cleared from memory (such as from the webView) when no longer needed/displayed.<br />
<li> Do not store sensitive information in the form of typical strings. Instead use character arrays or NSMutableString (iOS specific) and clear their contents after they are no longer needed. This is because strings are typically immutable on mobile devices and reside within memory even when assigned (pointed to) a new value.<br />
<li> Do not store sensitive data on external storage like SD cards if it can be avoided.<br />
<li> Consider restricting access to sensitive data based on contextual information such as location (e.g. wallet app not usable if GPS data shows phone is outside Europe, car key not usable unless within 100m of car etc...).<br />
<li> Use non-persistent identifiers which are not shared with other apps wherever possible - e.g. do not use the device ID number as an identifier, use a randomly generated number instead.<br />
<li> Make use of remote wipe and kill switch APIs to remove sensitive information from the device in the event of theft or loss.<br />
<li> Use a time based (expiry) type of control which will wipe sensitive data from the mobile device once the application has not communicated with its servers for a given period of time.<br />
<li> Automatic application shutdown and/or lockout after X minutes of inactivity (e.g. 5 mins of inactivity).<br />
<li> Avoid cached application snapshots in iOS: iOS can capture and store screen captures and store them as images when an application suspends. To avoid any sensitive data getting captured, use one or both of the following options: 1. Use the ‘willEnterBackground’ callback, to hide all the sensitive data. 2. Configure the application in the info.plist file to terminate the app when pushed to background (only use if multitasking is disabled).<br />
<li> Prevent applications from being moved and/or run from external storage such as via SD cards.<br />
<li> When handling sensitive data which does not need to be presented to users (e.g. account numbers), instead of using the actual value itself, use a token which maps to the actual value on the server-side. This will prevent exposure of sensitive information.<br />
</ol><br />
<br />
=== Paywall Controls ===<br />
This is a set of practices to ensure the application properly enforces access controls related to resources which require payment in order to access (such as access to premium content, access to additional functionality, access to improved support, etc…). <br />
<br />
<ol type="a"><br />
<li> Maintain logs of access to paid-for resources in a non-repudiable format (e.g. a signed receipt sent to a trusted server backend – with user consent) and make them securely available to the end-user for monitoring.<br />
<li> Warn users and obtain consent for any cost implications for application behavior.<br />
<li> Secure account/pricing/billing/item information as it relates to users. If client has made any purchases via the application for instance, we should ensure that what they bought, the size of purchase, the quantity of the purchase, etc… should all be treated as sensitive information.<br />
<li> Use a white-list model by default for paid-for resource addressing.<br />
<li> Check for anomalous usage patterns in paid-for resource usage and trigger re- authentication. E.g. significant change in location occurs, user-language changes, etc...<br />
</ol><br />
<br />
=== Server Controls ===<br />
This is a set of practices to ensure the server side program which interfaces with the mobile application is properly safeguarded. These controls would also apply in cases where the mobile application may be integrating with vended solutions hosted outside of the typical network.<br />
<br />
<ol type="a"><br />
<li> Ensure that the backend system(s) are running with a hardened configuration with the latest security patches applied to the OS, Web Server and other application components.<br />
<li> Ensure adequate logs are retained on the backend in order to detect and respond to incidents and perform forensics (within the limits of data protection law).<br />
<li> Employ rate limiting and throttling on a per-user/IP basis (if user identification is available) to reduce the risk from DoS type of attacks.<br />
<li> Carry out a specific check of your code for any sensitive data unintentionally transferred between the mobile application and the back-end servers, and other external interfaces (e.g. is location or other information included transmissions?).<br />
<li> Ensure the server rejects all unencrypted requests which it knows should always arrive encrypted.<br />
</ol><br />
<br />
=== Session Management ===<br />
This is a set of controls to help ensure mobile applications handle sessions in a secure manner.<br />
<br />
<ol type="a"><br />
<li> Perform a check at the start of each activity/screen to see if the user is in a logged in state and if not, switch to the login state.<br />
<li> When an application’s session is timed out, the application should discard and clear all memory associated with the user data, and any master keys used to decrypt the data.<br />
<li> Session tokens should be revocable (particularly on the server side).<br />
<li> Use lower timeout values to invalidate expired sessions (in contrast to the typical timeout values on traditional (non-mobile) applications).<br />
</ol><br />
<br />
=== Use of 3rd Party Libraries/Code ===<br />
This is a set of practices to ensure the application integrates securely with code produced from outside parties.<br />
<br />
<ol type="a"><br />
<li>Vet the security/authenticity of any third party code/libraries used in your mobile application (e.g. making sure they come from a reliable source, will continue to be supported, contain no backdoors) and ensure that adequate internal approval is obtained to use the code/library.<br />
<li> Track all third party frameworks/API’s used in the mobile application for security patches and perform upgrades as they are released.<br />
<li> Pay particular attention to validating all data received from and sent to non-trusted third party apps (e.g. ad network software) before incorporating their use into an application.<br />
</ol><br />
<br />
== Mobile Application Provisioning/Distribution/Testing ==<br />
This is a set of controls to ensure that software is tested and released relatively free of vulnerabilities, that there are mechanisms to report new security issues if they are found, and also that the software has been designed to accept patches in order to address potential security issues. <br />
<br />
<ol type="a"><br />
<li> Design & distribute applications to allow updates for security patches.<br />
<li> Provide & advertise feedback channels for users to report security problems with applications (such as a MobileAppSecurity@ntrs.com email address).<br />
<li> Ensure that older versions of applications which contain security issues and are no longer supported are removed from app-stores/app-repositories.<br />
<li> Periodically test all backend services (Web Services/REST) which interact with a mobile application as well as the application itself for vulnerabilities using enterprise approved automatic or manual testing tools (including internal code reviews).<br />
<li> Based on risk assessment of the application, have the application go through Security Assessment for a review of security vulnerabilities following the Team’s internal security testing of the application.<br />
<li> Utilize the Enterprise provisioning process (e.g. IDM) to request and approve access for users on the mobile application.<br />
<li> Ensure the application is sufficiently obfuscated prior to release by conducting tests which attempt to reverse engineer the obfuscated application.<br />
<li> Distribute applications via an app-store type of interface (when appropriate) as many app-stores monitor applications for insecure code which we may benefit from.<br />
<li> Digitally sign applications using a code signing certificate obtained via a trusted Certificate Authority (CA).<br />
</ol><br />
<br />
= Top 10 Mobile Controls =<br />
==OWASP/ENISA Collaboration==<br />
<br />
OWASP and the European Network and Information Security Agency (ENISA) collaborated to build a joint set of controls. ENISA has published the results of the collaborative effort as the "Smartphone Secure Development Guideline": http://www.enisa.europa.eu/activities/application-security/smartphone-security-1/smartphone-secure-development-guidelines<br />
<br />
[[File:OWASP_Mobile_Top_10_Controls.jpg|center|800px]]<br />
<br />
==Contributors==<br />
<br />
This document has been jointly produced with ENISA as well as the following individuals:<br />
*Vinay Bansal, Cisco Systems<br />
*Nader Henein, Research in Motion<br />
*Giles Hogben, ENISA<br />
*Karsten Nohl, Srlabs<br />
*Jack Mannino, nVisium Security<br />
*Christian Papathanasiou, Royal Bank of Scotland<br />
*Stefan Rueping, Infineon<br />
*Beau Woods, Stratigos Security<br />
<br />
== Top 10 mobile controls and design principles==<br />
<br />
'''[[#section control_1|1. Identify and protect sensitive data on the mobile device]]'''<br />
<br />
'''Risks:''' Unsafe sensitive data storage, attacks on decommissioned phones unintentional disclosure: Mobile devices (being mobile) have a higher risk of loss or theft. Adequate protection should be built in to minimize the loss of sensitive data on the device.<br />
<br />
*1.1 In the design phase, classify data storage according to sensitivity and apply controls accordingly (e.g. passwords, personal data, location, error logs, etc.). Process, store and use data according to its classification. Validate the security of API calls applied to sensitive data.<br />
*1.2 Store sensitive data on the server instead of the client-end device. This is based on the assumption that secure network connectivity is sufficiently available and that protection mechanisms available to server side storage are superior. The relative security of client vs server-side security also needs to be assessed on a case-by-case basis (see ENISA cloud risk assessment (3) or the OWASP Cloud top 10 (4) for decision support).<br />
*1.3 When storing data on the device, use a file encryption API provided by the OS or other trusted source. Some platforms provide file encryption APIs which use a secret key protected by the device unlock code and deleteable on remote kill. If this is available, it should be used as it increases the security of the encryption without creating extra burden on the end-user. It also makes stored data safer in the case of loss or theft. However, it should be born in mind that even when protected by the device unlock key, if data is stored on the device, its security is dependent on the security of the device unlock code if remote deletion of the key is for any reason not possible.<br />
*1.4 Do not store/cache sensitive data (including keys) unless they are encrypted and if possible stored in a tamper-proof area (see control 2).<br />
*1.5 Consider restricting access to sensitive data based on contextual information such as location (e.g. wallet app not usable if GPS data shows phone is outside Europe, car key not usable unless within 100m of car etc...).<br />
*1.6 Do not store historical GPS/tracking or other sensitive information on the device beyond the period required by the application (see controls 1.7, 1.8).<br />
*1.7 Assume that shared storage is untrusted - information may easily leak in unexpected ways through any shared storage. In particular:<br />
**Be aware of caches and temporary storage as a possible leakage channel, when shared with other apps.<br />
**Be aware of public shared storage such as address book, media gallery and audio files as a possible leakage channel. For example storing images with location metadata in the media-gallery allows that information to be shared in unintended ways.<br />
**Do not store temp/cached data in a world readable directory.<br />
*1.8 For sensitive personal data, deletion should be scheduled according to a maximum retention period, (to prevent e.g. data remaining in caches indefinitely).<br />
*1.9 There is currently no standard secure deletion procedure for flash memory (unless wiping the entire medium/card). Therefore data encryption and secure key management are especially important.<br />
*1.10 Consider the security of the whole data lifecycle in writing your application (collection over the wire, temporary storage, caching, backup, deletion etc)<br />
*1.11 Apply the principle of minimal disclosure - only collect and disclose data which is required for business use of the application. Identify in the design phase what data is needed, its sensitivity and whether it is appropriate to collect, store and use each data type.<br />
*1.12 Use non-persistent identifiers which are not shared with other apps wherever possible - e.g. do not use the device ID number as an identifier unless there is a good reason to do so (use a randomly generated number – see 4.3). Apply the same data minimization principles to app sessions as to http sessions/cookies etc.<br />
*1.13 Applications on managed devices should make use of remote wipe and kill switch APIs to remove sensitive information from the device in the event of theft or loss. (A kill-switch is the term used for an OS-level or purpose-built means of remotely removing applications and/or data).<br />
*1.14 Application developers may want to incorporate an application-specific "data kill switch" into their products, to allow the per-app deletion of their application's sensitive data when needed (strong authentication is required to protect misuse of such a feature).<br />
<br />
'''2. Handle password credentials securely on the device'''<br />
<br />
'''Risks:''' Spyware, surveillance, financial malware. A user's credentials, if stolen, not only provide unauthorized access to the mobile backend service, they also potentially compromise many other services and accounts used by the user. The risk is increased by the widespread of reuse of passwords across different services.<br />
<br />
*2.1 Instead of passwords consider using longer term authorization tokens that can be securely stored on the device (as per the OAuth model). Encrypt the tokens in transit (using SSL/TLS). Tokens can be issued by the backend service after verifying<br />
Smartphones secure development guidelines for app developers the user credentials initially. The tokens should be time bounded to the specific service as well as revocable (if possible server side), thereby minimizing the damage in loss scenarios. Use the latest versions of the authorization standards (such as OAuth 2.0). Make sure that these tokens expire as frequently as practicable.<br />
*2.2 In case passwords need to be stored on the device, leverage the encryption and key-store mechanisms provided by the mobile OS to securely store passwords, password equivalents and authorization tokens. Never store passwords in clear text. Do not store passwords or long term session IDs without appropriate hashing or encryption.<br />
*2.3 Some devices and add-ons allow developers to use a Secure Element e.g. (5) (6) – sometimes via an SD card module - the number of devices offering this functionality is likely to increase. Developers should make use of such capabilities to store keys, credentials and other sensitive data. The use of such secure elements gives a higher level of assurance with the standard encrypted SD card certified at FIPS 140-2 Level 3. Using the SD cards as a second factor of authentication though possible, isn't recommended, however, as it becomes a pseudo-inseparable part of the device once inserted and secured.<br />
*2.4 Provide the ability for the mobile user to change passwords on the device.<br />
*2.5 Passwords and credentials should only be included as part of regular backups in encrypted or hashed form.<br />
*2.6 Smartphones offer the possibility of using visual passwords which allow users to memorize passwords with higher entropy. These should only be used however, if sufficient entropy can be ensured. (7)<br />
*2.7 Swipe-based visual passwords are vulnerable to smudge-attacks (using grease deposits on the touch screen to guess the password). Measures such as allowing repeated patterns should be introduced to foil smudge-attacks. (8)<br />
*2.8 Check the entropy of all passwords, including visual ones (see 4.1 below).<br />
*2.9 Ensure passwords and keys are not visible in cache or logs.<br />
*2.10 Do not store any passwords or secrets in the application binary. Do not use a generic shared secret for integration with the backend (like password embedded in code). Mobile application binaries can be easily downloaded and reverse engineered.<br />
<br />
'''3. Ensure sensitive data is protected in transit'''<br />
<br />
'''Risks:''' Network spoofing attacks, surveillance. The majority of smartphones are capable of using multiple network mechanisms including Wi-Fi, provider network (3G, GSM, CDMA and others), Bluetooth etc. Sensitive data passing through insecure channels could be intercepted. (9) (10)<br />
<br />
*3.1 Assume that the provider network layer is not secure. Modern network layer attacks can decrypt provider network encryption, and there is no guarantee that the Wi-Fi network will be appropriately encrypted.<br />
*3.2 Applications should enforce the use of an end-to-end secure channel (such as SSL/TLS) when sending sensitive information over the wire/air (e.g. using Strict Transport Security - STS (11)).This includes passing user credentials, or other authentication equivalents. This provides confidentiality and integrity protection.<br />
*3.3 Use strong and well-known encryption algorithms (e.g. AES) and appropriate key lengths (check current recommendations for the algorithm you use e.g. (12) page 53).<br />
*3.4 Use certificates signed by trusted CA providers. Be very cautious in allowing self- signed certificates. Do not disable or ignore SSL chain validation.<br />
*3.5 For sensitive data, to reduce the risk of man-in-middle attacks (like SSL proxy, SSL strip), a secure connection should only be established after verifying the identity of the remote end-point (server). This can be achieved by ensuring that SSL is only established with end-points having the trusted certificates in the key chain.<br />
*3.6 The user interface should make it as easy as possible for the user to find out if a certificate is valid.<br />
*3.7 SMS, MMS or notifications should not be used to send sensitive data to or from mobile end-points.<br />
<br />
'''Reference:''' Google vulnerability of Client Login account credentials on unprotected wifi - [http://www.google.com/url?q=http%3A%2F%2Fwww.uni-ulm.de%2Fin%2Fmi%2Fmitarbeiter%2Fkoenings%2Fcatching-authtokens.html&sa=D&sntz=1&usg=AFQjCNGO-Yp1KHqO8USuL0zxL1Lpwq1Usw]<br />
<br />
'''4. Implement user authentication,authorization and session management correctly'''<br />
<br />
'''Risks:''' Unauthorized individuals may obtain access to sensitive data or systems by circumventing authentication systems (logins) or by reusing valid tokens or cookies. (13)<br />
<br />
*4.1 Require appropriate strength user authentication to the application. It may be useful to provide feedback on the strength of the password when it is being entered for the first time. The strength of the authentication mechanism used depends on the sensitivity of the data being processed by the application and its access to valuable resources (e.g. costing money).<br />
*4.2 It is important to ensure that the session management is handled correctly after the initial authentication, using appropriate secure protocols. For example, require authentication credentials or tokens to be passed with any subsequent request (especially those granting privileged access or modification).<br />
*4.3 Use unpredictable session identifiers with high entropy. Note that random number generators generally produce random but predictable output for a given seed (i.e. the same sequence of random numbers is produced for each seed). Therefore it is important to provide an unpredictable seed for the random number generator. The standard method of using the date and time is not secure. It can be improved, for example using a combination of the date and time, the phone temperature sensor and the current x,y and z magnetic fields. In using and combining these values, well-tested algorithms which maximise entropy should be chosen (e.g. repeated application of SHA1 may be used to combine random variables while maintaining maximum entropy – assuming a constant maximum seed length).<br />
*4.4 Use context to add security to authentication - e.g. IP location, etc...<br />
*4.5 Where possible, consider using additional authentication factors for applications giving access to sensitive data or interfaces where possible - e.g. voice, fingerprint (if available), who-you-know, behavioural etc.<br />
*4.6 Use authentication that ties back to the end user identity (rather than the device identity).<br />
<br />
'''5. Keep the backend APIs (services) and the platform (server) secure''' <br />
<br />
'''Risks:''' Attacks on backend systems and loss of data via cloud storage. The majority of mobile applications interact with the backend APIs using REST/Web Services or proprietary protocols. Insecure implementation of backend APIs or services, and not keeping the back-end platform hardened/patched will allow attackers to compromise data on the mobile device when transferred to the backend, or to attack the backend through the mobile application. (14)<br />
<br />
*5.1 Carry out a specific check of your code for sensitive data unintentionally transferred, any data transferred between the mobile device and web-server back- ends and other external interfaces - (e.g. is location or other information included within file metadata).<br />
*5.2 All backend services (Web Services/REST) for mobile apps should be tested for vulnerabilities periodically, e.g. using static code analyser tools and fuzzing tools for testing and finding security flaws.<br />
*5.3 Ensure that the backend platform (server) is running with a hardened configuration with the latest security patches applied to the OS, Web Server and other application components.<br />
*5.4 Ensure adequate logs are retained on the backend in order to detect and respond to incidents and perform forensics (within the limits of data protection law).<br />
*5.5 Employ rate limiting and throttling on a per-user/IP basis (if user identification is available) to reduce the risk from DDoS attack.<br />
*5.6 Test for DoS vulnerabilities where the server may become overwhelmed by certain resource intensive application calls.<br />
*5.7 Web Services, REST and APIs can have similar vulnerabilities to web applications:<br />
**Perform abuse case testing, in addition to use case testing<br />
**Perform testing of the backend Web Service, REST or API to determine vulnerabilities.<br />
<br />
'''6. Secure data integration with third party services and applications'''<br />
<br />
'''Risks:''' Data leakage. Users may install applications that may be malicious and can transmit personal data (or other sensitive stored data) for malicious purposes.<br />
<br />
*6.1 Vet the security/authenticity of any third party code/libraries used in your mobile application (e.g. making sure they come from a reliable source, with maintenance supported, no backend Trojans)<br />
*6.2 Track all third party frameworks/APIs used in the mobile application for security patches. A corresponding security update must be done for the mobile applications using these third party APIs/frameworks.<br />
*6.3 Pay particular attention to validating all data received from and sent to non-trusted third party apps (e.g. ad network software) before processing within the application.<br />
<br />
'''7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data'''<br />
<br />
'''Risks:''' Unintentional disclosure of personal or private information, illegal data processing. In the European Union, it is mandatory to obtain user consent for the collection of personally identifiable information (PII). (15) (16)<br />
<br />
*7.1 Create a privacy policy covering the usage of personal data and make it available to the user especially when making consent choices.<br />
*7.2 Consent may be collected in three main ways:<br />
**At install time<br />
**At run-time when data is sent<br />
**Via “opt-out” mechanisms where a default setting is implemented and the user has to turn it off.<br />
*7.3 Check whether your application is collecting PII - it may not always be obvious - for example do you use persistent unique identifiers linked to central data stores containing personal information?<br />
*7.4 Audit communication mechanisms to check for unintended leaks (e.g. image metadata).<br />
*7.5 Keep a record of consent to the transfer of PII. This record should be available to the user (consider also the value of keeping server-side records attached to any user data stored). Such records themselves should minimise the amount of personal data they store (e.g. using hashing).<br />
*7.6 Check whether your consent collection mechanism overlaps or conflicts (e.g. in the data handling practices stated) with any other consent collection within the same stack (e.g. APP-native + webkit HTML) and resolve any conflicts.<br />
<br />
'''8. Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc.)'''<br />
'''Risks:''' Smartphone apps give programmatic (automatic) access to premium rate phone calls, SMS, roaming data, NFC payments, etc. Apps with privileged access to such API’s should take particular care to prevent abuse, considering the financial impact of vulnerabilities that giveattackers access to the user’s financial resources.<br />
<br />
*8.1 Maintain logs of access to paid-for resources in a non-repudiable format (e.g. a signed receipt sent to a trusted server backend – with user consent) and make them available to the end-user for monitoring. Logs should be protected from unauthorised access.<br />
*8.2 Check for anomalous usage patterns in paid-for resource usage and trigger re- authentication. E.g. when significant change in location occurs, user-language changes etc.<br />
*8.3 Consider using a white-list model by default for paid-for resource addressing - e.g. address book only unless specifically authorised for phone calls.<br />
*8.4 Authenticate all API calls to paid-for resources (e.g. using an app developer certificate).<br />
*8.5 Ensure that wallet API callbacks do not pass cleartext account/pricing/ billing/item information.<br />
*8.6 Warn user and obtain consent for any cost implications for app behaviour.<br />
*8.7 Implement best practices such as fast dormancy (a 3GPP specification), caching, etc. to minimize signalling load on base stations.<br />
<br />
'''9. Ensure secure distribution/provisioning of mobile applications'''<br />
<br />
'''Risks:''' Use of secure distribution practices is important in mitigating all risks described in the OWASP Mobile Top 10 Risks and ENISA top 10 risks.<br />
*9.1 Applications must be designed and provisioned to allow updates for security patches, taking into account the requirements for approval by app-stores and the extra delay this may imply.<br />
*9.2 Most app-stores monitor apps for insecure code and are able to remotely remove apps at short notice in case of an incident. Distributing apps through official app- stores therefore provides a safety-net in case of serious vulnerabilities in your app.<br />
*9.3Provide feedback channels for users to report security problems with apps – e.g. a security@ email address.<br />
<br />
'''10. Carefully check any runtime interpretation of code for errors '''<br />
<br />
'''Risks:''' Runtime interpretation of code may give an opportunity for untrusted parties to provide unverified input which is interpreted as code. For example, extra levels in a game, scripts, interpreted SMS headers. This gives an opportunity for malware to circumvent walled garden controls provided by app-stores. It can lead to injection attacks leading to Data leakage, surveillance, spyware, and diallerware.<br />
<br />
Note that it is not always obvious that your code contains an interpreter. Look for any capabilities accessible via user-input data and use of third party API’s which may interpret user-input - e.g. JavaScript interpreters.<br />
<br />
*10.1 Minimize runtime interpretation and capabilities offered to runtime interpreters: run interpreters at minimal privilege levels.<br />
*10.2 Define comprehensive escape syntax as appropriate.<br />
*10.3 Fuzz test interpreters.<br />
*10.4 Sandbox interpreters.<br />
<br />
''Appendix A- Relevant General Coding Best Practices'''<br />
<br />
Some general coding best practices are particularly relevant to mobile coding. We have listed some of the most important tips here:<br />
**Perform abuse case testing, in addition to use case testing.<br />
**Validate all input.<br />
**Minimise lines and complexity of code. A useful metric is cyclomatic complexity (17).<br />
**Use safe languages (e.g. from buffer-overflow).<br />
**Implement a security report handling point (address) security@example.com<br />
**Use static and binary code analysers and fuzz-testers to find security flaws.<br />
**Use safe string functions, avoid buffer and integer overflow.<br />
**Run apps with the minimum privilege required for the application on the operating<br />
system. Be aware of privileges granted by default by APIs and disable them.<br />
**Don't authorize code/app to execute with root/system administrator privilege<br />
**Always perform testing as a standard as well as a privileged user<br />
**Avoid opening application-specific server sockets (listener ports) on the client device.<br />
Use the communication mechanisms provided by the OS.<br />
**Remove all test code before releasing the application<br />
**Ensure logging is done appropriately but do not record excessive logs, especially those<br />
including sensitive user information.<br />
<br />
<br />
''Appendix B- Enterprise Guidelines''<br />
**If a business-sensitive application needs to be provisioned on a device, applications should enforce of a higher security posture on the device (such as PIN, remote management/wipe, app monitoring)<br />
**Device certificates can be used for stronger device authentication.'<br />
<br />
''References"<br />
*1.ENISA. Top Ten Smartphone Risks . [Online] http://www.enisa.europa.eu/act/application-security/smartphone-security-1/top-ten-risks.<br />
*2. OWASP. Top 10 mobile risks. [Online] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks.<br />
*3. Cloud Computing: Benefits, Risks and Recommendations for information security. [Online] 2009. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.<br />
*4. OWASP Cloud Top 10. [Online] https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project.<br />
*5. Blackberry developers documents. [Online] http://www.blackberry.com/developers/docs/7.0.0api/net/rim/device/api/io/nfc/se/SecureElement.h tml,.<br />
*6. Google Seek For Android. [Online] http://code.google.com/p/seek-for-android/.<br />
*7. Visualizing Keyboard Pattern Passwords. [Online] cs.wheatoncollege.edu/~mgousie/comp401/amos.pdf.<br />
*8. Smudge Attacks on Smartphone Touch Screens. Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. s.l. : Department of Computer and Information Science – University of Pennsylvania.<br />
*9. Google vulnerability of Client Login account credentials on unprotected . [Online] http://www.uni- ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.html.<br />
*10. SSLSNIFF. [Online] http://blog.thoughtcrime.org/sslsniff-anniversary-edition. 11. [Online] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02.<br />
Smartphones secure development guidelines for app developers<br />
*11. [Online] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02.<br />
*12. NIST Computer Security. [Online] http://csrc.nist.gov/publications/nistpubs/800-57/sp800- 57_PART3_key-management_Dec2009.pdf.<br />
*13. Google's ClientLogin implementation . [Online] http://www.uni- ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.html.<br />
*14. [Online] https://www.owasp.org/index.php/Web_Services.<br />
*15. EU Data Protection Directive 95/46/EC. [Online] http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.<br />
*16. [Online] http://democrats.energycommerce.house.gov/sites/default/files/image_uploads/Testimony_05.04.11 _Spafford.pdf.<br />
*17. [Online] http://www.aivosto.com/project/help/pm-complexity.html.<br />
*18. [Online] http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html.<br />
**19. Google Wallet Security. [Online] http://www.google.com/wallet/how-it-works-security.htm.<br />
<br />
= OWASP Mobile Threat Model Project =<br />
==Mobile Application Threat Model - Beta Release==<br />
<br />
This is the first release (February 2013) of the Mobile Application Threat Model developed by the initial project team (listed at the end of this release). Development began mid-2011 and is being released in beta form for public comment and input. It is by no means complete and some sections will need more contributions, details and also real world case studies. It's the hope of the project team that others in the community can help contribute to this project to further enhance and improve this threat model.<br />
<br />
===Mobile Threat Model Introduction Statement===<br />
Threat modeling is a systematic process that begins with a clear understanding of the system. It is necessary to define the following areas to understand possible threats to the application:<br />
* '''Mobile Application Architecture''' - This area describes how the application is designed from device specific features used by the application, wireless transmission protocols, data transmission mediums, interaction with hardware components and other applications.<br />
* '''Mobile Data''' - What data does the application store and process? What is the business purpose of this data and what are the data workflows?<br />
* '''Threat Agent Identification''' - What are the threats to the mobile application and who are the threat agents. This area also outlines the process for defining what threats apply to the mobile application.<br />
* '''Methods of Attack''' - What are the most common attacks utilized by threat agents. This area defines these attacks so that controls can be developed to mitigate attacks.<br />
* '''Controls''' - What are the controls to prevent attacks. This is the last area to be defined only after previous areas have been completed by the development team.<br />
<br />
===Target Audience for the Mobile Threat Model===<br />
This model is to be used by mobile application developers and software architects as part of the “threat modeling” phase of a typical SDLC process. The model can also be used by Information Security Professionals that need to determine what typical mobile application threats are and provide a methodology for conducting basic threat modeling.<br />
<br />
===How to Use the Mobile Threat Model===<br />
This threat model is designed as an outline or checklist of items that need to be documented, reviewed and discussed when developing a mobile application. Every organization that develops mobile applications will have different requirements as well as threats. This model was designed to be as organizational and industry agnostic as possible so that any mobile application development team can use this as a guide for conducting threat modeling for their specific application. Real world case studies as examples will be integrated to this threat model in the near future.<br />
<br />
==Mobile Application Architecture==<br />
<br />
The mobile application architecture should, at the very least, describe device specific features used by the application, wireless transmission protocols, data transmission medium, interaction with hardware components and other applications. Applications can be mapped to this architecture as a preliminary attack surface assessment.<br />
<br />
===Architecture Considerations===<br />
<br />
Although mobile applications vary in function, they can be described using a generalized model as follows:<br />
<br />
Wireless interfaces<br />
<br />
Transmission Type<br />
<br />
Hardware Interaction<br />
<br />
Interaction with on device applications/services<br />
<br />
Interaction with off device applications/services<br />
<br />
Encryption Protocols<br />
<br />
<br />
<br />
* What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc)<br />
** Carrier<br />
*** Data<br />
*** SMS<br />
*** Voice<br />
** Endpoints<br />
*** Web Services<br />
**** RESTful or SOAP based<br />
**** Third Party (Example: Amazon)<br />
*** Websites<br />
**** Does the app utilize or integrate the “mobile web” version of an existing web site?<br />
*** App Stores<br />
**** Google Play<br />
**** Apple App Store<br />
**** Windows Mobile<br />
**** BlackBerry App Store<br />
*** Cloud Storage<br />
**** Amazon/Azure<br />
*** Corporate Networks (via VPN, ssh, etc.)<br />
** Wireless interfaces<br />
*** 802.11<br />
*** NFC<br />
*** Bluetooth<br />
*** RFID<br />
** Device<br />
*** App Layer<br />
*** Runtime Environment (VM, framework dependencies, etc)<br />
*** OS Platform<br />
** Apple iOS<br />
** Android<br />
** Windows Mobile<br />
** BlackBerry<br />
*** Baseband<br />
* Common hardware components<br />
** GPS<br />
** Sensors (accelerometer)<br />
** Cellular Radios (GSM/CDMA/LTE)<br />
** Flash Memory<br />
** Removable Storage (i.e.- SD)<br />
** USB ports<br />
** Wireless Interfaces<br />
*** 802.11<br />
*** Bluetooth<br />
*** NFC<br />
*** RFID<br />
** Touch Screen<br />
** Hardware Keyboard<br />
** Microphone<br />
** Camera<br />
* Authentication<br />
** Method<br />
*** Knowledge based<br />
*** Token based<br />
*** Biometrics<br />
** Input Type<br />
*** Keyboard<br />
*** Touch screen<br />
*** Hardware peripheral<br />
** Decision Process<br />
*** Local (on device)<br />
*** Remote (off device)<br />
* Define app architecture relative to OS stack + security model<br />
** What should or shouldn't the app do?<br />
<br />
<br />
==Mobile Data==<br />
This section defines what purpose does the app serve from a business perspective and what data the app store, transmit and receive. It’s also important to review data flow diagrams to determine exactly how data is handled and managed by the application.<br />
<br />
* What is the business function of the app?<br />
* What data does the application store/process (provide data flow diagram)<br />
** This diagram should outline network, device file system and application data flows<br />
** How is data transmitted between third party API’s and app(s)<br />
** Are there different data handling requirements between different mobile platforms? (iOS/Android/Blackberry/Windows/J2ME) <br />
** Does the app use cloud storage APIs (Dropbox, Google Drive, iCloud, Lookout) for device data backups<br />
** Does personal data intermingle with corporate data?<br />
** Is there specific business logic built into the app to process data?<br />
* What does the data give you (or an attacker) access to<br />
** Data at Rest<br />
** Example: Do stored credentials provide authentication?<br />
** Data in Transit<br />
** Example: Do stored keys allow you to break crypto functions (data integrity)?<br />
* Third party data, is it being stored/transmitted?<br />
** What is the privacy requirements of user data<br />
** Example: UDID or Geolocation on iOS transmitted to 3rd party<br />
** Are there regulatory requirements to meet specific to user privacy?<br />
* How does other data on the device affect the app (sandboxing restrictions enforced?)<br />
** Example: Authentication credentials shared between apps<br />
* What is the impact of Jailbroken/Rooted vs Non Jailbroken/Rooted device and how this affects app data (can also relate to threat agent identification)<br />
<br />
<br />
==Threat Agent Identification==<br />
What are the threats to the mobile application and who are the threat agents. This area also outlines the process for defining what threats apply to the mobile application.<br />
<br />
===Identifying Threat Agents===<br />
<br />
The process of identifying a threat agent is very simple and have been mentioned in the below steps:<br />
<br />
'''S1''': Take the list of all sensitive data (or information to protect) listed down from Section 2 – Mobile Data<br />
<br />
'''S2:''' Make a list of all the ways to access this data<br />
<br />
'''S3:''' The medium used to access the same listed in S3 is the Threat Agent to be identified<br />
<br />
<br />
===Threat Agent Identification Example===<br />
<br />
Let us understand it in a better way using an example of a Financial Application (specifically a Banking Application). Following the process as mentioned above:<br />
<br />
'''S1:''' Sensitive data present in the application has been listed as: Beneficiary Details stored in some form in the Phone Application Memory and User Credentials used for authentication transmitted to the server.<br />
'''S2:''' List the various ways of accessing information:<br />
<br />
# Beneficiary Details:<br />
## A device user aiming to browse through the memory card / phone memory<br />
## An adversary using a jail broken phone; starts reading the content through putty/WinSCP via SSH<br />
## An adversary while sniffing the WiFi, traffic sniffs the content travelling through the network<br />
## Another malicious application while reading the phone memory contents, stumbles upon this data as the device is Jailbroken<br />
## Another application which is sending data through SMS sends this data.<br />
## A Web Application executing a script on the browser tries to get steal the phone memory and send it to its server.<br />
<br />
<br />
'''S3:''' From the above points, we list down the medium used:<br />
<br />
# Any user who has the device (Stolen device/ friend / etc)<br />
## Any malicious application (installed / Web based script)<br />
## An adversary sniffing the Wifi.<br />
## etc.<br />
<br />
<br />
From the above example you should have a clear picture on how to identify Threat Agents. Below is list of threat agents, which were identified while analyzing various commonly used applications.<br />
<br />
<br />
===Listing of Threat Agents - By Category===<br />
<br />
<br />
====Human Interaction====<br />
<br />
<br />
<br />
* '''Stolen Device User:''' A user who obtained unauthorized access to the device aiming to get hold of the memory related sensitive information belonging to the owner of the device.<br />
<br />
* '''Owner of the Device:''' A user who unwillingly has installed a malicious application on his phone which gains access to the device application memory.<br />
<br />
* '''Common WiFi Network User:''' This agent is aimed at any adversary intentionally or unintentionally sniffing the WiFi network used by a victim. This agent stumbles upon all the data transmitted by the victim device and may re-use it to launch further attacks.<br />
<br />
* '''Malicious Developer:''' A human user who has the intent of writing an application which not only provides a commonly known function like gaming / calculator / utility in the foreground but steal as much information from your device as possible in real-time and transmits it to the malicious user. This agent can also be looked at an angle from which he codes an app to perform DOS by using up all the device resources.<br />
<br />
* '''Organization Internal Employees:''' Any user who is part of the organization (may be a programmer / admin / user / etc). Anyone who has privileges to perform an action on the application.<br />
<br />
* '''App Store Approvers/Reviewers:''' Any app store which fails to review potentially dangerous code or malicious application which executes on a user’s device and performs suspicious/ malicious activities<br />
<br />
<br />
<br />
<br />
<br />
====Automated Programs====<br />
<br />
<br />
<br />
* '''Malware on the device''': Any program / mobile application which performs suspicious activity. It can be an application, which is copying real time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history:[http://venturebeat.com/2012/08/06/olympics-android-app/ ][http://venturebeat.com/2012/08/06/olympics-android-app/ http://venturebeat.com/2012/08/06/olympics-android-app/]<br />
<br />
* '''Scripts executing at the browser with HTML5''': Any script code written in a language similar to JavaScript having capability of accessing the device level content falls under this type of agent section. A script executing at the browser reading and transmitting browser memory data / complete device level data.<br />
<br />
* '''Malicious SMS''': An incoming SMS redirected to trigger any kind of suspicious activity on the mobile device. There are multiple services which keep running in the background. Each of these services have listeners which might be active to listen for the content of an incoming SMS. An SMS message may be a sort of trigger for the service to perform some suspicious activity.<br />
<br />
* '''Malicious App:''' Failure to detect malicious or vulnerable code and the likelihood of a compromise or attack against the app store itself, potentially turning legitimate code into hostile things including updates and new downloaded apps.<br />
<br />
<br />
<br />
Below is a diagram illustrated to understand the Threat Agents and Threats in a visual manner:<br />
<br />
<br />
[[image:Mobile-app-threat-agents.png|582x527px]]<br />
<br />
<br />
<br />
'''Figure 1 : Pictorial Representation of Threats and Agents'''<br />
<br />
<br />
<br />
==Methods of Attack==<br />
In this section, we will observe different methods an attacker can use to reach the data. This data can be sensitive information to the device or something sensitive to the app itself.<br />
<br />
<br />
<br />
===Attack’s Flowchart===<br />
<br />
Destruction of the asset is normally classified as attack. Attack can be further categorized as a planned attack or an unplanned one. Unintended attacks are normally caused due to some form of accidental actions.<br />
<br />
<br />
<br />
[[image:Mobile-app-attack-workflow.png]]<br />
<br />
'''Figure 2: Attack Workflow'''<br />
<br />
<br />
<br />
===Attack Scenario===<br />
<br />
'''“Method aimed to read the local application memory”'''<br />
<br />
<br />
<br />
The above mentioned attack methodology is the one in which the data which is targeted is application specific memory and the method used is memory based analysis. The attacker steals any sensitive data like passwords, userid, user account information which is stored in the application memory by reading the device memory.<br />
<br />
<br />
<br />
We have listed down other methods below which can be mapped with the second section in a similar fashion:<br />
<br />
<br />
<br />
The classification of attacks based on the way data is handled:<br />
<br />
<br />
<br />
* Carrier Based Methods<br />
<br />
<br />
<br />
# Man in the middle (MiTM) attacks which can steal data packets including SMS or voice packets<br />
# Hijack wireless transmission.<br />
<br />
<br />
<br />
* Endpoints based methods<br />
<br />
<br />
<br />
# Inject code to tamper with web application or web services<br />
# Many of the OWASP Mobile Top 10/OWASP Web Application Top 10<br />
# Publishing Malwares in the app store<br />
# Stealing user sensitive phone contents using Malwares<br />
# Cloud storage<br />
# Targeting malicious corporate network. (e.g. VPN Keys, etc)<br />
<br />
<br />
<br />
* Wireless interfaces based methods<br />
<br />
<br />
<br />
# Stealing data when its in-transit using wireless channel like 802.11, NFC based data exchange or Bluetooth based data exchange. Application Level Attacks<br />
<br />
<br />
<br />
* OS and application level methods<br />
<br />
<br />
<br />
# Exploit the Input validation on client-side by by-passing the checks<br />
# An adversary steals sensitive data by reading SD Card based stored content<br />
# Exploiting vulnerabilities within an app or runtime environment. (VM, framework dependencies, etc)<br />
# An adversary exploits OS level functionalities steal data from device or server<br />
# Rooting or Jailbreaking the phone to access sensitive data from memory<br />
<br />
<br />
<br />
* Miscellaneous Methods<br />
<br />
<br />
<br />
# Method used to exploit and steal GPS based signals which falls in users personal information<br />
# Method used to exploit the flash memory<br />
# Method used to perform “tap jacking” based attacks.<br />
# Method used to steal keyboard cache or logs.<br />
# Method used to steal microphone recordings of a user<br />
# Method used to exploit and misuse the camera functionality.<br />
<br />
<br />
==Controls==<br />
What are the controls to prevent attacks. This is the last area to be defined only after previous areas have been completed by the development team.<br />
<br />
<br />
* What are the controls to prevent an attack?<br />
** Defined by platform<br />
*** Apple iOS<br />
*** Android<br />
*** Windows Mobile<br />
*** BlackBerry<br />
* What are the controls to detect an attack?<br />
** Defined by platform<br />
*** Apple iOS<br />
*** Android<br />
*** Windows Mobile<br />
*** BlackBerry<br />
* What are the controls to mitigate/minimize impact of an attack?<br />
** Defined by platform<br />
*** Apple iOS<br />
*** Android<br />
*** Windows Mobile<br />
*** BlackBerry<br />
* What are the controls to protect users private information (privacy controls)<br />
** Example: prompts for access to address book/geolocation<br />
* Create a mapping of controls to each specific method of attack (defined in Section 4 – Methods of Attack)<br />
** Create level of assurance framework based on controls implemented. This would be subjective to a certain point, but it would be useful in guiding organizations who want to achieve a certain level of risk management based on the threats and vulnerabilities<br />
* Case studies, control examples<br />
<br />
<br />
==Project Contributors==<br />
Special thanks to the following team members who contributed to the initial release of the threat model:<br />
<br />
<br />
Tom Eston (Project Lead)<br />
<br />
Jack Mannino<br />
<br />
Sreenarayan Ashokkumar<br />
<br />
Swapnil Deshmukh<br />
<br />
Brandon Knight<br />
<br />
Steve Jensen<br />
<br />
Shimon Modi<br />
<br />
Rodrigo Marcos<br />
<br />
Brandon Clark<br />
<br />
Yvesmarie Quemener<br />
<br />
Yashraj Paralikar<br />
<br />
Ritesh Taank<br />
<br />
= Mobile Device Management(MDM) =<br />
==What is MDM Technology?==<br />
MDM is a way to ensure employees stay productive and do not breach corporate policies. Many organizations control activities of their employees using MDM products/services. <br />
MDM primarily deals with corporate data segregation, securing emails, securing corporate documents on device, enforcing corporate policies, integrating and managing mobile devices including laptops and handhelds of various categories.<br />
There are two major types of MDM implementations:<br />
1. On-premise Solution<br />
2. Cloud-based Solution<br />
For the organizations where security is highest concern, it preferred to have On-premise solution. This is always suggested for mission critical secure applications.<br />
Cloud-based solution provides ease of access for the administrator.<br />
<br />
==How does it provide Security?==<br />
All MDM products are built with an idea of Containerization. The MDM Container is secured using latest crypto techniques (AES-256 or more preferred). All the corporate data like email, documents, enterprise application are encrypted and processed inside the container. This ensures that corporate data is separated from user’s personal data on the device.<br />
Additionally, encryption for entire device and/or SD Card can also be enforced depending on MDM product capability.<br />
<br />
'''Secure Email:'''<br />
MDM products allow organization to integrate their existing email setup to be easily integrated with MDM environment. Almost all MDM products support easy integration with Exchange Server (2003/2007/2010), Office365, Lotus Notes, Blackberry Enterprise Server (BES) and others. This provided flexibility of configuring Email-over-air.<br />
<br />
'''Secure Docs:'''<br />
It is frequently seen that, employees copy attachments downloaded from corporate email to their personal devices and then misuse it. MDM can easily restrict/disable clipboard usage in/out of Secure Container; forwarding attachments to external domains can be restricted, downloading/saving attachments on SD Card. This ensures corporate data is not left insecure.<br />
<br />
'''Secure Browser:'''<br />
Using secure browser can avoid many potential security risks. Every MDM solution comes with built-in custom browser. Administrator can disable native browsers to force user to use Secure Browser, which is also inside the MDM container. URL filtering can be enforced to add additional productivity measure.<br />
<br />
'''Secure App Catalogue:'''<br />
Organization can distribute, manage, and upgrade applications on employee’s device using App Catalogue. It allows applications to be pushed on user device directly from the App Store or push an enterprise developed private application through the App Catalogue. This provides an option for the organization to deploy devices in Kiosk Mode or Lock-Down Mode.<br />
<br />
<br />
==Additional MDM Features:==<br />
There are plenty of other features depending on which MDM product being chosen. Below is the list for it:<br />
<br />
• '''Policy Enforcing''': There are multiple types of policies which can be enforced on MDM users.<br />
1. Persona Policy: According to corporate environment, highly customizable<br />
2. Device Platform specific: policies for advanced management of Android, IOS, Windows and Blackberry devices.<br />
3. Compliance Policies/Rules<br />
• VPN configuration<br />
• Application Catalogue<br />
<br />
• Pre-defined Wi-Fi and Hotspot settings<br />
<br />
• Jail-break/Root detection<br />
<br />
• Remote Wipe of corporate data<br />
<br />
• Remote Wipe of entire device<br />
<br />
• Device remote locking<br />
<br />
• Remote messaging/buzz<br />
<br />
• Disabling native apps on device<br />
<br />
<br />
==More light on MDM-MAM-MEM:==<br />
'''Mobile Device Management (MDM)''' is like adding an extra layer of security and ensuring a way to monitor device related activities. MDM provides device platform specific features like device encryption, platform specific policies, SD Card encryption. Geo-location tracking, connectivity profiles (VPN, Wi-Fi, Bluetooth) and plenty other features are part of MDM Suite.<br />
<br />
'''Mobile Application Management (MAM)''' is done by application wrapping i.e. injection arbitrary encryption code in the mobile application source. This is necessary for commercial applications or applications being developed in-house for Enterprise use. Additionally, white-listing/black-listing of application can be done. Features like Application Catalogue allow admin to push applications remotely to the devices for instant install, push remote updates and also remote removal of apps.<br />
<br />
'''Mobile Email Management (MEM)''' ensures your corporate emails are containerized using advanced proprietary/free encryption algorithms. MEM ensures all emails remain inside the secure container, so that attackers get encrypted data even if they try to compromise the device data using USB cable on a system. Heavy restrictions on clipboard, attachments and trusted domains can be enforced. Nothing can move in-out of the secure container as clipboard is disabled. Even the attachments are downloaded and saved inside the secure container. To view the attachments there is secure document reader as well as secure document editor available in MDM solutions. Adding trusted domains will ensure that data from corporate email is not leaked to malicious/suspicious domains.<br />
<br />
<br />
'''Top MDM Vendors in Market:'''<br />
<br />
• AirWatch by VMware<br />
<br />
• Amtel MDM<br />
<br />
• BlackBerry BES10<br />
<br />
• CA Technologies MDM<br />
<br />
• Citrix XenMobile<br />
<br />
• Dell EMM<br />
<br />
• Good Technology MDM<br />
<br />
• IBM MaaS360 MDM<br />
<br />
• McAfee EMM<br />
<br />
• Microsoft Enterprise Mobility Suite (EMS)<br />
<br />
• MobileIron EMM<br />
<br />
• SAP Afaria MDM<br />
<br />
• SOTI MobiControl MDM<br />
<br />
• Symantec Mobile Management<br />
<br />
==For More Technical Details and Queries==<br />
<br />
'''Author: Milan Singh Thakur'''<br />
<br />
Contact: ''milanthakur2010@gmail.com''<br />
<br />
Linkedin: Connect Professionally[https://in.linkedin.com/in/milansinghthakur]<br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /></div>Andipannellhttps://wiki.owasp.org/index.php?title=Mobile_Top_Ten_Contributions&diff=193481Mobile Top Ten Contributions2015-04-16T09:23:28Z<p>Andipannell: /* Wiki Content */</p>
<hr />
<div>This page is a work in progress. If we have omitted you, or incorrectly affiliated you, please contact us right away.<br />
<br />
== Project Leads ==<br />
<br />
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]<br />
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]<br />
* [mailto:jonthan.carter@owasp.org Jonathan Carter - Arxan Technologies]<br />
<br />
== Strategic Roadmap ==<br />
<br />
[[Media:OWASP Mobile Top Ten 2015 - Strategy.pdf|Strategy Document]]<br />
<br />
== Wiki Content ==<br />
<br />
* Zach Lanier<br />
* Mike Zuzman<br />
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]<br />
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]<br />
* Rahil Parikh - Gotham Digital Science<br />
* Ron Gutierrez - Gotham Digital Science<br />
* [mailto:jonathan.carter@owasp.org Jonathan Carter - Arxan Technologies]<br />
* [mailto:chad.butler@owasp.org Chad Butler - Concur Technologies]<br />
* [mailto:andrew.pannell@owasp.org Andrew Pannell - IRM]<br />
<br />
== Data Contributors ==<br />
<br />
* [http://www8.hp.com/us/en/software-solutions/fortify-on-demand-application-security/mobile-application-security.html HP Fortify]<br />
* [https://twitter.com/andresitoath Andreas Athanasoulias & Syntax IT]<br />
* [http://www.espheresecurity.com/ Hemil Shah and eSphere Security]<br />
* [http://www.riis.com/ Godfrey Nolan and RIIS (Research Into Internet Systems)]<br />
* [http://www.arxan.com/ Arxan Technologies]<br />
* [http://www.bugcrowd.com/ Bugcrowd]<br />
* [http://www.hacklabs.com/ Hacklabs]<br />
* [http://www.ibm.com/security/xforce/ IBM X-Force Threat Intelligence]<br />
* [http://www.krvw.com/ KRVW Associates]<br />
* [http://www.metaintelli.com/ MetaIntelli]<br />
* [http://www.purehacking.com/ Pure Hacking]<br />
* [http://www.securenetwork.it/ Secure Network]<br />
<br />
== Data ==<br />
<br />
The 2015 data sets are stored at the below link:<br />
<br />
[https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0 https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0]<br />
<br />
== Synthesis ==<br />
<br />
Key observations and trends from the data can be found in here:<br />
<br />
* [http://www.owasp.org/images/b/b5/OWASP_Mobile_Top_Ten_2015_-_Synthesis_Document_v0.1.pdf Synthesis Document v0.1]<br />
<br />
== Additional Thanks ==<br />
<br />
* Jim Mannico<br />
* Paco Hope</div>Andipannellhttps://wiki.owasp.org/index.php?title=Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad&diff=192813Projects/OWASP Mobile Security Project -2015 Scratchpad2015-04-07T09:41:16Z<p>Andipannell: /* Audience-Specific Guidance */</p>
<hr />
<div>This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.<br />
<br />
=What is It?=<br />
<br />
This is the "Mobile Top Ten" ''what''? It's the top 10 "stuff people tend to screw up", but here are some important questions.<br />
<br />
* Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."<br />
<br />
* Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.<br />
<br />
* What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps ''do'' care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?<br />
** If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.<br />
** If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".<br />
** If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.<br />
** If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.<br />
<br />
=Who is it For?=<br />
<br />
Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?<br />
<br />
(''Paco's opinion'') We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.<br />
<br />
=Comments on Submitted Data=<br />
<br />
==General==<br />
<br />
(Jason) By looking at some data sets it becomes clear there is a doctrine that some consultancies use to do mobile testing. Some did not contribute m1 data, because they consider mobile security client-only. The same applied to m10. In addition, a couple of datasets used CWE IDs. These were harder to parse because generic CWE's do not specify if the vuln is client or server (and in a lot of these cases the vuln could be either). As Paco stated, code quality, source level findings are hard to categorize as well.<br />
<br />
==BugCrowd==<br />
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).<br />
<br />
I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.<br />
<br />
We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?<br />
<br />
==MetaIntelli==<br />
<br />
They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.<br />
<br />
=Other Questions=<br />
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?<br />
<br />
I can imagine a heuristic like this:<br />
* did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.<br />
* Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.<br />
<br />
Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?<br />
<br />
=Conclusions Drawn From Data=<br />
These are conclusions proposed from the 2014 data.<br />
==At Least One New Category Is Needed==<br />
((Paco)) The "Other" category is not the least popular category. It's more popular, by an order of magnitude, than several others. This tells me that if we had a better category that captured "other" findings, it would be a benefit to the users of the top 10.<br />
<br />
==The Bottom 5 Categories account for 25% Or Less==<br />
<br />
The least popular 5 items are (where "1" is the least popular and "5" is 5th least popular or 6th most popular):<br />
<br />
# M8: Security Decisions Via Untrusted Inputs<br />
# M7: Client Side Injection<br />
# M9: Improper Session Handling<br />
# M6: Broken Cryptography<br />
# M1: Weak Server Side Controls<br />
<br />
Combined with the fact that the 3rd or 4th most popular category is "Other", this suggests that 2 or 3 of these are, in fact, not in the "top ten". They may be, for example, 11 and 12 or even higher.<br />
<br />
==The Existing Buckets are Hard To Use==<br />
<br />
A few contributors tried to categorise their findings into the existing MT10. When they did, they showed symptoms of difficulty. Some examples in the table below show how MetaIntelli flagged findings in two different categories, and BugCrowd flagged the same kind of finding in 3 different categories. This suggests that the existing MT10 is not clear enough about where these issues belong.<br />
<br />
{|<br />
! Description<br />
! Contributor<br />
! Categories<br />
|-<br />
|The app is not verifying hostname, certificate matching and validity when doing SSL secure connections.<br />
|MetaIntelli<br />
|M3 and M9<br />
|-<br />
|Contains URLs with not valid SSL certificates and/or chain of trust<br />
|MetaIntelli<br />
|M3 and M5<br />
|-<br />
|Authentication cookies stored in cleartext in sqlite database<br />
|BugCrowd<br />
|M9 - Improper Session Handling<br />
|-<br />
|Blackberry app stores credentials in plaintext<br />
|BugCrowd<br />
|M2 - Insecure Data Storage<br />
|-<br />
|Credentials and sensitive information not secured on Windows Phone app<br />
|BugCrowd<br />
|M5 - Poor Authorization and Authentication<br />
|}<br />
<br />
==Some Topics that Show Up But Are Hard To Place==<br />
<br />
There are a few things that show up in the contributed data that do not have a good category to go into.<br />
<br />
===Code Level Findings===<br />
<br />
If someone is doing bad C coding (e.g., strcpy() and similar), there is no good bucket for that. Likewise, misusing the platform APIs (e.g., Android, iOS, etc.) is not well covered. It's hard to place violations of platform best practices (e.g., with intents and broadcasts and so on).<br />
<br />
Most of the Android developers use "printStackTrace" in their code, which is a bad practice. Even the Android APK is released in DEBUG mode.<br />
<br />
=OWASP Category Elements=<br />
This section explores the critical elements that must be included within all OWASP Mobile Top Ten 2015 categories. Each element is listed below along with a brief description of the appropriate content. The goal is to "test drive" this list of required elements with a sample, non-commital category to verify that the elements adequately cover what is needed within each of the OWASP Mobile Top Ten 2015 categories. Each of these elements has been initially based off the Google Hangout meeting held on April 1 2015.<br />
<br />
==Label (generic and audience-specific labels)==<br />
This element is a unique identifier for the bucket of issues that belong together. In the [https://docs.google.com/a/owasp.org/forms/d/1WMEbjVgXU4VkjHP5AcW934D9EI0_XQ5vmjb-Y5liMQY/viewform OWASP Mobile Top Ten 2015 Survey], we found that there were many different audiences that may use the OWASP Mobile Top Ten 2015 for different purposes. As always, there needs to be a generic label that uniquely identifies each bucket of issues. However, there should also be additional labels for the same category that are audience-specific to make it easier for different audiences to identify the category they are looking for. These additional labels will help clarify and differentiate the categories.<br />
<br />
==Overview Text==<br />
This element is a generic education piece (100-200 words) around the nature of the category. It should describe the nature of the category as it relates to the different audiences (e.g., penetration testers; software engineers). It should include external references and educational links to other sources around the nature of the problem.<br />
<br />
==Prominent Characteristics==<br />
This element eliminates any uncertainty or ambiguity that may result from vagueness / broadness in the category labels. It should include "headline vulnerabilities" that made it into the media and help each audience get a "gut feel" for what belongs to this category. In the 2014 list, we found that there were many instances where the same vulnerabilities were spread across many different categories. Hence, the need for this additional element along with a strive towards better categorisation.<br />
<br />
==Risk==<br />
This element helps clarify how critical the category of issues is from both a business and technical perspective. During the meeting of April 1 2015, it was proposed that the CVSS classification scheme may be used here as a way of helping guide the audiences in prioritisation of the fixing of the issues.<br />
<br />
==Examples==<br />
This element gives coding-specific examples, CVE vulnerabilities and newsworthy events that fall into this category. This element will help clarify to the difference audiences what fits into this category. <br />
<br />
== Audience Specific Guidance==<br />
This element gives practical advice and guidance for category remediation that is relevant to each audience (100-200 words). Each audience may approach the issue of remediation from very different perspectives. For example, an auditor may simply want to know more about whether or not remediation is appropriate. Meanwhile, a software engineer may want to have coding-specific advice. Each audience's concerns must be addressed in this element. <br />
<br />
<br />
="Test Drive" Category Element=<br />
Here, we are testing a particular category to see whether or not the proposed elements for each category are adequate to address each audience's needs. It is important to note that this is a sample category and is not a formal commitment to any final category in the OWASP Mobile Top Ten 2015. It is strictly meant for testing purposes. Members who would like to 'own' particular elements in the category below should 'sign up' and add content where appropriate.<br />
<br />
==Insecure Data Transmission==<br />
<br />
===Generic Label===<br />
Owner(s): Jonathan Carter<br />
<br />
===Audience-Specific Labels===<br />
Owner(s): Jonathan Carter<br />
<br />
===Overview Text===<br />
<br />
This category focuses on the many available communication channels in the mobile environment and the secure transmission of data through them. If your application is using '''Wi-Fi, WiFi-direct, Bluetooth, Infra-red, RFIDs, POS devices (with NFC Tags)'''; then this category provides guidance in securing data while in transit. Included but not limited to are '''plaintext transmission of sensitive data, insufficient authentication of encrypted channel endpoints, insufficient regard to failures in building a properly encrypted channel, poor choice of security mechanisms over distinct networks''', etc.<br />
<br />
Additionaly, this category applies in the same way to secure data transmission in the '''Internet Of Things (IoT)'''.<br />
<br />
<br />
Owner(s): Milan Singh Thakur<br />
<br />
===Prominent Characteristics===<br />
Owner(s): David Fern<br />
<br />
The key differentiator of this vulnerability is that it is concerned about unencrypted or improperly encrypted data being stolen during transmission, not on the device but through the airwaves.<br />
<br />
[[File:Data Transport.jpg]]<br />
<br />
'''Insecure Data Transmission should not be confused with others in the top 10 such as:<br />
'''<br />
<br />
'''M3: Insufficient Transport Layer Protection''' – I DO NOT SEE ANT DIFFERENCE <br />
<br />
'''M4: Unintended Data Leakage''' – Unintended data leakage is a result of insecure data transmission. Once data has been stolen and interpreted it may contain information that is valuable to attackers (leaked). <br />
<br />
'''M6: Broken Cryptography''' – While broken cryptography does relate to data that has been improperly encrypted, and it may be an input or causes of insecure data transmission, it focuses on the encryption process/technique itself on the device transmitting the data.<br />
<br />
===Risk===<br />
Confidential and sensitive data residing on the mobile devices if not fully SSL encrypted during transmission is highly susceptible to eavesdropping. As majority of wireless, mobile devices have capability to use and switch to various home Wifi and public unsecured Wifi. This could be disastrous while giving attackers a glimpse of your personal, non-shareable information which can lead to '''identity theft''' and '''social engineering attacks'''. Similarly, it applies to those mobile apps also where data transmission is not fully SSL encrypted and failed to perform a Valid SSL Certificate check. Additionally, this might lead further to '''man-in-the-middle attacks'''.<br />
<br />
Even if the application uses encryption and the device is connected to a public WiFi, an attacker can easily capture all Wireless traffic (as in War-driving). Then attacker can perform '''offline decryption''' and possibly have all your sensitive data. <br />
Consider the situation where your application server uses TLS1.0/SSLv3. You think it is secure? Nope, it is highly vulnerable to attacks like '''CRIME, POODLE and Handshake Re-negotiation'''.<br />
<br />
Owner(s): Rajvinder Singh, Milan Singh Thakur<br />
<br />
===Examples===<br />
Owner(s): Adam Kliarsky<br />
<br />
===Audience-Specific Guidance===<br />
Owner(s): Andi Pannell<br />
<br />
From both a development and auditing stance, the easiest way to test this is to insert a proxy (such as burp) between the device running the mobile app and the wifi connection. <br />
Looking for data being transferred over plain text, as well as identifying weak procotols (SSLv2, SSLv3) and ciphers (RC4, MD5) being used to transmit data.<br />
<br />
=Top Ten Scratchpad=<br />
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.<br />
<br />
==M1: Weak Server Side Controls ==<br />
Stuff<br />
<br />
==M2: Insecure Data Storage ==<br />
(Jason) As i look through the data I think more and more about how m2 and m4 might be combined.<br />
<br />
==M3: Insufficient Transport Layer Protection ==<br />
Stuff<br />
<br />
==M4: Unintended Data Leakage ==<br />
<br />
Stuff<br />
==M5: Poor Authorization and Authentication ==<br />
<br />
Stuff<br />
==M6: Broken Cryptography ==<br />
<br />
Stuff<br />
==M7: Client Side Injection ==<br />
<br />
Stuff<br />
==M8: Security Decisions Via Untrusted Inputs ==<br />
<br />
Stuff<br />
==M9: Improper Session Handling ==<br />
<br />
Stuff<br />
==M10: Lack of Binary Protections ==<br />
<br />
(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.</div>Andipannellhttps://wiki.owasp.org/index.php?title=Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad&diff=192572Projects/OWASP Mobile Security Project -2015 Scratchpad2015-04-01T21:52:15Z<p>Andipannell: /* Audience-Specific Guidance */</p>
<hr />
<div>This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.<br />
<br />
=What is It?=<br />
<br />
This is the "Mobile Top Ten" ''what''? It's the top 10 "stuff people tend to screw up", but here are some important questions.<br />
<br />
* Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."<br />
<br />
* Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.<br />
<br />
* What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps ''do'' care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?<br />
** If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.<br />
** If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".<br />
** If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.<br />
** If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.<br />
<br />
=Who is it For?=<br />
<br />
Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?<br />
<br />
(''Paco's opinion'') We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.<br />
<br />
=Comments on Submitted Data=<br />
<br />
==General==<br />
<br />
(Jason) By looking at some data sets it becomes clear there is a doctrine that some consultancies use to do mobile testing. Some did not contribute m1 data, because they consider mobile security client-only. The same applied to m10. In addition, a couple of datasets used CWE IDs. These were harder to parse because generic CWE's do not specify if the vuln is client or server (and in a lot of these cases the vuln could be either). As Paco stated, code quality, source level findings are hard to categorize as well.<br />
<br />
==BugCrowd==<br />
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).<br />
<br />
I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.<br />
<br />
We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?<br />
<br />
==MetaIntelli==<br />
<br />
They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.<br />
<br />
=Other Questions=<br />
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?<br />
<br />
I can imagine a heuristic like this:<br />
* did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.<br />
* Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.<br />
<br />
Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?<br />
<br />
=Conclusions Drawn From Data=<br />
These are conclusions proposed from the 2014 data.<br />
==At Least One New Category Is Needed==<br />
((Paco)) The "Other" category is not the least popular category. It's more popular, by an order of magnitude, than several others. This tells me that if we had a better category that captured "other" findings, it would be a benefit to the users of the top 10.<br />
<br />
==The Bottom 5 Categories account for 25% Or Less==<br />
<br />
The least popular 5 items are (where "1" is the least popular and "5" is 5th least popular or 6th most popular):<br />
<br />
# M8: Security Decisions Via Untrusted Inputs<br />
# M7: Client Side Injection<br />
# M9: Improper Session Handling<br />
# M6: Broken Cryptography<br />
# M1: Weak Server Side Controls<br />
<br />
Combined with the fact that the 3rd or 4th most popular category is "Other", this suggests that 2 or 3 of these are, in fact, not in the "top ten". They may be, for example, 11 and 12 or even higher.<br />
<br />
==The Existing Buckets are Hard To Use==<br />
<br />
A few contributors tried to categorise their findings into the existing MT10. When they did, they showed symptoms of difficulty. Some examples in the table below show how MetaIntelli flagged findings in two different categories, and BugCrowd flagged the same kind of finding in 3 different categories. This suggests that the existing MT10 is not clear enough about where these issues belong.<br />
<br />
{|<br />
! Description<br />
! Contributor<br />
! Categories<br />
|-<br />
|The app is not verifying hostname, certificate matching and validity when doing SSL secure connections.<br />
|MetaIntelli<br />
|M3 and M9<br />
|-<br />
|Contains URLs with not valid SSL certificates and/or chain of trust<br />
|MetaIntelli<br />
|M3 and M5<br />
|-<br />
|Authentication cookies stored in cleartext in sqlite database<br />
|BugCrowd<br />
|M9 - Improper Session Handling<br />
|-<br />
|Blackberry app stores credentials in plaintext<br />
|BugCrowd<br />
|M2 - Insecure Data Storage<br />
|-<br />
|Credentials and sensitive information not secured on Windows Phone app<br />
|BugCrowd<br />
|M5 - Poor Authorization and Authentication<br />
|}<br />
<br />
==Some Topics that Show Up But Are Hard To Place==<br />
<br />
There are a few things that show up in the contributed data that do not have a good category to go into.<br />
<br />
===Code Level Findings===<br />
<br />
If someone is doing bad C coding (e.g., strcpy() and similar), there is no good bucket for that. Likewise, misusing the platform APIs (e.g., Android, iOS, etc.) is not well covered. It's hard to place violations of platform best practices (e.g., with intents and broadcasts and so on).<br />
<br />
<br />
=OWASP Category Elements=<br />
This section explores the critical elements that must be included within all OWASP Mobile Top Ten 2015 categories. Each element is listed below along with a brief description of the appropriate content. The goal is to "test drive" this list of required elements with a sample, non-commital category to verify that the elements adequately cover what is needed within each of the OWASP Mobile Top Ten 2015 categories. Each of these elements has been initially based off the Google Hangout meeting held on April 1 2015.<br />
<br />
==Label (generic and audience-specific labels)==<br />
This element is a unique identifier for the bucket of issues that belong together. In the [https://docs.google.com/a/owasp.org/forms/d/1WMEbjVgXU4VkjHP5AcW934D9EI0_XQ5vmjb-Y5liMQY/viewform OWASP Mobile Top Ten 2015 Survey], we found that there were many different audiences that may use the OWASP Mobile Top Ten 2015 for different purposes. As always, there needs to be a generic label that uniquely identifies each bucket of issues. However, there should also be additional labels for the same category that are audience-specific to make it easier for different audiences to identify the category they are looking for. These additional labels will help clarify and differentiate the categories.<br />
<br />
==Overview Text==<br />
This element is a generic education piece (100-200 words) around the nature of the category. It should describe the nature of the category as it relates to the different audiences (e.g., penetration testers; software engineers). It should include external references and educational links to other sources around the nature of the problem.<br />
<br />
==Prominent Characteristics==<br />
This element eliminates any uncertainty or ambiguity that may result from vagueness / broadness in the category labels. It should include "headline vulnerabilities" that made it into the media and help each audience get a "gut feel" for what belongs to this category. In the 2014 list, we found that there were many instances where the same vulnerabilities were spread across many different categories. Hence, the need for this additional element along with a strive towards better categorisation.<br />
<br />
==Risk==<br />
This element helps clarify how critical the category of issues is from both a business and technical perspective. During the meeting of April 1 2015, it was proposed that the CVSS classification scheme may be used here as a way of helping guide the audiences in prioritisation of the fixing of the issues.<br />
<br />
==Examples==<br />
This element gives coding-specific examples, CVE vulnerabilities and newsworthy events that fall into this category. This element will help clarify to the difference audiences what fits into this category. <br />
<br />
== Audience Specific Guidance==<br />
This element gives practical advice and guidance for category remediation that is relevant to each audience (100-200 words). Each audience may approach the issue of remediation from very different perspectives. For example, an auditor may simply want to know more about whether or not remediation is appropriate. Meanwhile, a software engineer may want to have coding-specific advice. Each audience's concerns must be addressed in this element. <br />
<br />
<br />
="Test Drive" Category Element=<br />
Here, we are testing a particular category to see whether or not the proposed elements for each category are adequate to address each audience's needs. It is important to note that this is a sample category and is not a formal commitment to any final category in the OWASP Mobile Top Ten 2015. It is strictly meant for testing purposes. Members who would like to 'own' particular elements in the category below should 'sign up' and add content where appropriate.<br />
<br />
==Insecure Data Transmission==<br />
<br />
===Generic Label===<br />
Owner(s): Jonathan Carter<br />
<br />
===Audience-Specific Labels===<br />
Owner(s): Jonathan Carter<br />
<br />
===Overview Text===<br />
Owner(s):<br />
<br />
===Prominent Characteristics===<br />
Owner(s):<br />
<br />
===Risk===<br />
Owner(s): Raj Singh<br />
<br />
===Examples===<br />
Owner(s): Adam Kliarsky<br />
<br />
===Audience-Specific Guidance===<br />
Owner(s): Andi Pannell<br />
<br />
=Top Ten Scratchpad=<br />
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.<br />
<br />
==M1: Weak Server Side Controls ==<br />
Stuff<br />
<br />
==M2: Insecure Data Storage ==<br />
(Jason) As i look through the data I think more and more about how m2 and m4 might be combined.<br />
<br />
==M3: Insufficient Transport Layer Protection ==<br />
Stuff<br />
<br />
==M4: Unintended Data Leakage ==<br />
<br />
Stuff<br />
==M5: Poor Authorization and Authentication ==<br />
<br />
Stuff<br />
==M6: Broken Cryptography ==<br />
<br />
Stuff<br />
==M7: Client Side Injection ==<br />
<br />
Stuff<br />
==M8: Security Decisions Via Untrusted Inputs ==<br />
<br />
Stuff<br />
==M9: Improper Session Handling ==<br />
<br />
Stuff<br />
==M10: Lack of Binary Protections ==<br />
<br />
(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.</div>Andipannellhttps://wiki.owasp.org/index.php?title=Mobile_Top_10_2014-M10&diff=191778Mobile Top 10 2014-M102015-03-19T18:07:38Z<p>Andipannell: added dex2jar reversing for Android</p>
<hr />
<div><center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center><br />
{{Top_10_2010:SubsectionColoredTemplate|<center>Lack of Binary Protections</center>||year=2014}}<br />
<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}<br />
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|Medium}}<br />
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|Common}}<br />
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|Easy}}<br />
{{Top_10_2010:SummaryTableValue-1-Template|Impact|Severe}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Typically, an adversary will analyze and reverse engineer a mobile app's code, then modify it to perform some hidden functionality.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>An adversary will use an automated tool to reverse engineer the code and modify it using malware to perform some hidden functionality.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>'''Prevalence'''<br />
A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion. However, an application with binary protection can still be reversed by a dedicated adversary and therefor binary protection is not a perfect security solution. At the end of the day, binary protection only slows down a security review. <br />
<br />
It is extremely common for apps to be deployed without binary protection. The prevalence has been extensively studied by a large number of security vendors, analysts, and researchers <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup> <sup>&#91;[[#ReferenceItem2|2]]&#93;</sup> <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem17|17]]&#93;</sup>.<br />
<br />
'''Detectability'''<br />
<br />
It is difficult to detect that an adversary has reverse engineered an app’s code. Typically, the app owner will realize reverse engineering was successful when the code shows up in another app in iTunes <sup>&#91;[[#ReferenceItem4|4]]&#93;</sup>, Google Play <sup>&#91;[[#ReferenceItem5|5]]&#93;</sup> <sup>&#91;[[#ReferenceItem16|16]]&#93;</sup>, or a third-party app store <sup>&#91;[[#ReferenceItem6|6]]&#93;</sup>. Usually, the owner discovers this by accident and not through active policing by an app store.<br />
<br />
There are many different viable solutions to detect code modification at runtime and respond accordingly. At runtime, mobile apps should be enabled to detect if a runtime modification / injection has occurred and react in a number of different ways. Pre-determined reactions of the apps will vary from either attempting to thwart the attack or fail in a subtle way <sup>&#91;[[#ReferenceItem7|7]]&#93;</sup>.<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>The majority of mobile apps do not prevent an adversary from successfully analyzing, reverse engineering or modifying the app’s binary code <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup>. Organizations should apply binary protections to a mobile app under a few different circumstances:<br />
<br />
'''Analysis and Reverse Engineering'''<br />
<br />
Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering code within the mobile app. All too often, the adversary will steal code and recycle it within another app for resell <sup>&#91;[[#ReferenceItem16|16]]&#93;</sup>. The app owner is often unaware that the app has been repurposed and sold elsewhere unless they utilize some form of appstore monitoring service or similar. If there is a likely chance that this may occur, the owner should consider binary protections to the app. But be warned, this protection only slows an attacker from reverse engineering. It does not prevent an attacker from doing so.<br />
<br />
'''Unauthorized Code Modification'''<br />
<br />
Binary protections slow an adversary from modifying the underlying code or behavior to disable or add additional functionality on behalf of the adversary. This is likely to occur if the app stores, transmits, or processes personally identifiable information (PII) or other sensitive information assets like passwords or credit cards. Code modification often takes the form of repackaging or insertion of malware into existing mobile apps <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem18|18]]&#93;</sup>.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Typically, a lack of binary protection will result in the following business impacts:<br />
<br />
* Privacy Related and Confidential Data Theft;<br />
* Unauthorized Access and Fraud;<br />
* Brand and Trust Damage;<br />
* Revenue Loss and Piracy;<br />
* Intellectual Property Theft;<br />
* User Experience Compromise.<br />
<br />
Many different analysts have provided policy guidance around minimizing this risk <sup>&#91;[[#ReferenceItem8|8]]&#93;</sup> <sup>&#91;[[#ReferenceItem9|9]]&#93;</sup> <sup>&#91;[[#ReferenceItem10|10]]&#93;</sup> <sup>&#91;[[#ReferenceItem11|11]]&#93;</sup> <sup>&#91;[[#ReferenceItem12|12]]&#93;</sup>.<br />
<br />
</td><br />
<br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate|Am I Vulnerable to Lack of Binary Protections?||year=2014}}<br />
<br />
If you are hosting code in an untrustworthy environment, you are susceptible to this risk <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup> <sup>&#91;[[#ReferenceItem2|2]]&#93;</sup> <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem17|17]]&#93;</sup>. An untrustworthy environment is defined as an environment in which the organization does not have physical control. This includes mobile clients, firmware in appliances, cloud spaces, or datacenters within particular countries.<br />
<br />
If you answer yes to any of these questions, you are vulnerable to a binary attack:<br />
<br />
:* Can someone code-decrypt this app (iPhone specific) using an automated tool like ClutchMod or manually using GDB? <br />
<br />
:* Can someone reverse engineer this app (Android specific) using an automated tool like dex2jar?<br />
<br />
:* Can someone use an automated tool like Hopper or IDA Pro to easily visualize the control-flow and pseudo-code of this app?<br />
<br />
:* Can someone modify the app’s presentation layer (HTML/JS/CSS) of this app within the phone and execute modified JavaScript?<br />
<br />
:* Can someone modify the app’s binary executable using a hex editor to get it to bypass a security control?<br />
<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate|How Do I Prevent Lack of Binary Protections?||year=2014}}<br />
<br />
First, the application must follow secure coding techniques for the following security components within the mobile app:<br />
<br />
:* Jailbreak Detection Controls;<br />
:* Checksum Controls;<br />
:* Certificate Pinning Controls;<br />
:* Debugger Detection Controls.<br />
<br />
Next, the app must adequately mitigate two different technical risks that the above controls are exposed to:<br />
<br />
:# The organization building the app must adequately prevent an adversary from analyzing and reverse engineering the app using static or dynamic analysis techniques;<br />
:# The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation.<br />
<br />
The remediation strategies for these types of risks are outlined in more technical detail within the [https://www.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering_and_Unauthorized_Code_Modification OWASP Reverse Engineering and Code Modification Prevention Project].<br />
<br />
'''Android Specific Best Practices:'''<br />
<br />
'''Android Root Detection'''<br />
<br />
There are a few common ways to detect a rooted Android device:<br><br />
Check for test-keys<br />
:* Check to see if <tt>build.prop</tt> includes the line ''ro.build.tags=test-keys'' indicating a developer build or unofficial ROM<br />
Check for OTA certificates<br />
:* Check to see if the file ''/etc/security/otacerts.zip'' exists<br />
Check for several known rooted apk's<br />
:* com.noshufou.android.su<br />
:* com.thirdparty.superuser<br />
:* eu.chainfire.supersu<br />
:* com.koushikdutta.superuser<br />
Check for SU binaries<br />
:* <tt>/system/bin/su</tt><br />
:* <tt>/system/xbin/su</tt><br />
:* <tt>/sbin/su</tt><br />
:* <tt>/system/su</tt><br />
:* <tt>/system/bin/.ext/.su</tt><br />
Attempt SU command directly<br />
:* Attempt the to run the command <tt>su</tt> and check the id of the current user, if it returns 0 then the su command has been successful<br />
<br />
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=3|risk=7}}<br />
This section outlines typical app vulnerabilities that result from a lack of binary protection. Items within parenthesis indicate examples of tools you can use to test for these vulnerabilities.<br />
<br />
==iOS Apps==<br />
<br />
:* Disabling Code Encryption (''ClutchMod'');<br />
:* Jailbreak Detection Evasion (''xcon'');<br />
:* Class Dumping (''class-dump-z'');<br />
:* Method Swizzling (''Mobile Substrate'');<br />
:* Runtime Code Injection (''cycript'');<br />
:* Runtime Monitoring (''Snoop-It'');<br />
:* Runtime Analysis (''GDB''); and<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]; Hopper'').<br />
<br />
== Android Apps==<br />
<br />
:* Bytecode Conversion (''apktool; dex2jar'');<br />
:* Runtime Analysis (''ADB'');<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]; Hopper'');<br />
:* Disassembly (''baksmali'') and<br />
:* Code Injection (''Mobile Substrate'').<br />
<br />
== Windows Phone Apps==<br />
<br />
:* .NET Decompiler (''[https://www.jetbrains.com/decompiler/ JetBrains dotPeak]; [http://ilspy.net/ ILSpy]; [http://www.red-gate.com/products/dotnet-development/reflector/ RedGate .NET Reflector] '');<br />
:* Runtime Analysis (''[https://github.com/andreycha/tangerine Tangerine]; [https://github.com/sensepost/xapspy XAPSpy]'');<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]'');<br />
:* Disassembly (''[https://msdn.microsoft.com/en-us/library/f7dy01k1%28v=vs.110%29.aspx MSIL Disassembler (Ildasm.exe)]'') and<br />
<br />
<br />
There are many well-established security experts within the mobile space that have written books on the topic of binary protection testing <sup>&#91;[[#ReferenceItem13|13]]&#93;</sup> <sup>&#91;[[#ReferenceItem14|14]]&#93;</sup> <sup>&#91;[[#ReferenceItem15|15]]&#93;</sup>.<br />
<br />
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=7}}<br />
<span id="ReferenceItem1">[1] Arxan Research: [https://www.arxan.com/assets/1/7/State_of_Security_in_the_App_Economy_Report_Vol._2.pdf State of Security in the App Economy, Volume 2], November 2013:<br />
:''“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”''</span><br />
<span id="ReferenceItem2">[2] HP Research: [http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.UuwZFPZvDi5 HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack], 18 November 2013:<br />
:''"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."''</span><br />
<span id="ReferenceItem3">[3] North Carolina State University: [http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution], 7 September 2011:<br />
:''“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”''</span><br />
<span id="ReferenceItem4">[4] Tech Hive: [http://www.techhive.com/article/249310/apple_pulls_ripoff_apps_from_its_walled_garden.html Apple Pulls Ripoff Apps from its Walled Garden]Feb 4th, 2012:<br />
:''“While Apple is known for screening apps before they are allowed to sprout up in its walled garden, clearly fake apps do get in. Once they do, getting them out depends on developers who raise a fuss.”''</span><br />
<span id="ReferenceItem5">[5] Tech Crunch: [http://techcrunch.com/2014/01/02/developer-spams-google-play-with-ripoffs-of-well-known-apps-again/ Developer Spams Google Play With RipOffs of Well-Known Apps… Again], January 2 2014:<br />
:''“It’s not uncommon to search the Google Play app store and find a number of knock-off or “fake” apps aiming to trick unsuspecting searchers into downloading them over the real thing.”''</span><br />
<span id="ReferenceItem6">[6] Extreme Tech: [http://www.extremetech.com/mobile/153849-chinese-app-store-offers-pirated-ios-apps-without-the-need-to-jailbreak Chinese App Store Offers Pirated iOS Apps Without the Need To Jailbreak], April 19 2013:<br />
:''“The site offers apps for free that would otherwise cost money, including big-name titles.”''</span><br />
<span id="ReferenceItem7">[7] OWASP: [https://www.owasp.org/index.php/Architectural_Principles_That_Prevent_Code_Modification_or_Reverse_Engineering Architectural Principles That Prevent Code Modification or Reverse Engineering], January 11th 2014.</span><br />
<br />
<span id="ReferenceItem8">[8] Gartner report: Avoiding Mobile App Development Security Pitfalls, 24 May 2013:<br />
:''"For critical applications, such as transactional ones and sensitive enterprise applications, hardening should be used."''</span><br />
<span id="ReferenceItem9">[9] Gartner report: Emerging Technology Analysis: Mobile Application Shielding, March 26th, 2013:<br />
:''"As more regulated and sensitive data applications move to mobile platforms the need to increase data protection increases. Mobile application shielding presents the opportunity to security providers to offer higher data protection standards to mobile platforms that exceed mobile OS security."''</span><br />
<span id="ReferenceItem10">[10] Gartner report: Proliferating Mobile Transaction Attack Vectors and What to Do About Them, March 1st, 2013:<br />
:''"Use mobile application security testing services and self-defending application utilities to help prevent hacking attempts."''</span><br />
<span id="ReferenceItem11">[11] Gartner report: Select a Secure Mobile Wallet for Proximity, March 1st, 2013:<br />
:''"Application hardening can fortify sensitive business code against hacking attempts, such as reverse engineering”''</span><br />
<span id="ReferenceItem12">[12] Forrester paper: Choose The Right Mobile Development Solutions For Your Organization, May 6th 2013:<br />
:''“5 Key Protections: Data Protection, App Compliance, App-Level Threat Defense, Security Policy Enforcement, App Integrity”''</span><br />
<br />
<span id="ReferenceItem13">[13] John Wiley and Sons, Inc: [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 iOS Hacker's Handbook], Published May 2012, ISBN 1118204123.</span><br />
<br />
<span id="ReferenceItem14">[14] McGraw Hill Education: [http://mobilehackingexposed.com/ Mobile Hacking Exposed], Published July 2013, ISBN 0071817018.</span><br />
<br />
<span id="ReferenceItem15">[15] Publisher Unannounced: [http://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X Android Hacker's Handbook], To Be Published April 2014.</span><br />
<br />
<span id="ReferenceItem16">[16] Software Development Times: [http://sdt.bz/66393#ixzz2sHa7dFMp More than 5,000 apps in the Google Play Store are copied APKs, or 'thief-ware'], November 20 2013:<br />
:''“In most cases, the 2,140 copycat developers that were found reassembled the apps almost identically, adding new advertising SDKs to siphon profits away from the original developers.''</span><br />
<br />
<span id="ReferenceItem17">[17] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36376/two-thirds-of-personal-banking-apps-found-full-of-vulnerabilities/ Two Thirds of Personal Banking Apps Found Full of Vulnerabilities], January 3 2014:<br />
:''“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”''</span><br />
<br />
<span id="ReferenceItem18">[18] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36686/mobile-malware-infects-millions-lte-spurs-growth/ Mobile Malware Infects Millions; LTE Spurs Growth], January 29 2014:<br />
:''"Number of mobile malware samples is growing at a rapid clip, increasing by 20-fold in 2013... It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application"''</span></div>Andipannellhttps://wiki.owasp.org/index.php?title=Mobile_Top_10_2014-M10&diff=191777Mobile Top 10 2014-M102015-03-19T17:51:56Z<p>Andipannell: </p>
<hr />
<div><center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center><br />
{{Top_10_2010:SubsectionColoredTemplate|<center>Lack of Binary Protections</center>||year=2014}}<br />
<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}<br />
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|Medium}}<br />
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|Common}}<br />
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|Easy}}<br />
{{Top_10_2010:SummaryTableValue-1-Template|Impact|Severe}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Typically, an adversary will analyze and reverse engineer a mobile app's code, then modify it to perform some hidden functionality.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>An adversary will use an automated tool to reverse engineer the code and modify it using malware to perform some hidden functionality.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>'''Prevalence'''<br />
A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion. However, an application with binary protection can still be reversed by a dedicated adversary and therefor binary protection is not a perfect security solution. At the end of the day, binary protection only slows down a security review. <br />
<br />
It is extremely common for apps to be deployed without binary protection. The prevalence has been extensively studied by a large number of security vendors, analysts, and researchers <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup> <sup>&#91;[[#ReferenceItem2|2]]&#93;</sup> <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem17|17]]&#93;</sup>.<br />
<br />
'''Detectability'''<br />
<br />
It is difficult to detect that an adversary has reverse engineered an app’s code. Typically, the app owner will realize reverse engineering was successful when the code shows up in another app in iTunes <sup>&#91;[[#ReferenceItem4|4]]&#93;</sup>, Google Play <sup>&#91;[[#ReferenceItem5|5]]&#93;</sup> <sup>&#91;[[#ReferenceItem16|16]]&#93;</sup>, or a third-party app store <sup>&#91;[[#ReferenceItem6|6]]&#93;</sup>. Usually, the owner discovers this by accident and not through active policing by an app store.<br />
<br />
There are many different viable solutions to detect code modification at runtime and respond accordingly. At runtime, mobile apps should be enabled to detect if a runtime modification / injection has occurred and react in a number of different ways. Pre-determined reactions of the apps will vary from either attempting to thwart the attack or fail in a subtle way <sup>&#91;[[#ReferenceItem7|7]]&#93;</sup>.<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>The majority of mobile apps do not prevent an adversary from successfully analyzing, reverse engineering or modifying the app’s binary code <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup>. Organizations should apply binary protections to a mobile app under a few different circumstances:<br />
<br />
'''Analysis and Reverse Engineering'''<br />
<br />
Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering code within the mobile app. All too often, the adversary will steal code and recycle it within another app for resell <sup>&#91;[[#ReferenceItem16|16]]&#93;</sup>. The app owner is often unaware that the app has been repurposed and sold elsewhere unless they utilize some form of appstore monitoring service or similar. If there is a likely chance that this may occur, the owner should consider binary protections to the app. But be warned, this protection only slows an attacker from reverse engineering. It does not prevent an attacker from doing so.<br />
<br />
'''Unauthorized Code Modification'''<br />
<br />
Binary protections slow an adversary from modifying the underlying code or behavior to disable or add additional functionality on behalf of the adversary. This is likely to occur if the app stores, transmits, or processes personally identifiable information (PII) or other sensitive information assets like passwords or credit cards. Code modification often takes the form of repackaging or insertion of malware into existing mobile apps <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem18|18]]&#93;</sup>.<br />
<br />
</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Typically, a lack of binary protection will result in the following business impacts:<br />
<br />
* Privacy Related and Confidential Data Theft;<br />
* Unauthorized Access and Fraud;<br />
* Brand and Trust Damage;<br />
* Revenue Loss and Piracy;<br />
* Intellectual Property Theft;<br />
* User Experience Compromise.<br />
<br />
Many different analysts have provided policy guidance around minimizing this risk <sup>&#91;[[#ReferenceItem8|8]]&#93;</sup> <sup>&#91;[[#ReferenceItem9|9]]&#93;</sup> <sup>&#91;[[#ReferenceItem10|10]]&#93;</sup> <sup>&#91;[[#ReferenceItem11|11]]&#93;</sup> <sup>&#91;[[#ReferenceItem12|12]]&#93;</sup>.<br />
<br />
</td><br />
<br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate|Am I Vulnerable to Lack of Binary Protections?||year=2014}}<br />
<br />
If you are hosting code in an untrustworthy environment, you are susceptible to this risk <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup> <sup>&#91;[[#ReferenceItem2|2]]&#93;</sup> <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem17|17]]&#93;</sup>. An untrustworthy environment is defined as an environment in which the organization does not have physical control. This includes mobile clients, firmware in appliances, cloud spaces, or datacenters within particular countries.<br />
<br />
If you answer yes to any of these questions, you are vulnerable to a binary attack:<br />
<br />
:* Can someone code-decrypt this app (iPhone specific) using an automated tool like ClutchMod or manually using GDB?<br />
<br />
:* Can someone use an automated tool like Hopper or IDA Pro to easily visualize the control-flow and pseudo-code of this app?<br />
<br />
:* Can someone modify the app’s presentation layer (HTML/JS/CSS) of this app within the phone and execute modified JavaScript?<br />
<br />
:* Can someone modify the app’s binary executable using a hex editor to get it to bypass a security control?<br />
<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate|How Do I Prevent Lack of Binary Protections?||year=2014}}<br />
<br />
First, the application must follow secure coding techniques for the following security components within the mobile app:<br />
<br />
:* Jailbreak Detection Controls;<br />
:* Checksum Controls;<br />
:* Certificate Pinning Controls;<br />
:* Debugger Detection Controls.<br />
<br />
Next, the app must adequately mitigate two different technical risks that the above controls are exposed to:<br />
<br />
:# The organization building the app must adequately prevent an adversary from analyzing and reverse engineering the app using static or dynamic analysis techniques;<br />
:# The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation.<br />
<br />
The remediation strategies for these types of risks are outlined in more technical detail within the [https://www.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering_and_Unauthorized_Code_Modification OWASP Reverse Engineering and Code Modification Prevention Project].<br />
<br />
'''Android Specific Best Practices:'''<br />
<br />
'''Android Root Detection'''<br />
<br />
There are a few common ways to detect a rooted Android device:<br><br />
Check for test-keys<br />
:* Check to see if <tt>build.prop</tt> includes the line ''ro.build.tags=test-keys'' indicating a developer build or unofficial ROM<br />
Check for OTA certificates<br />
:* Check to see if the file ''/etc/security/otacerts.zip'' exists<br />
Check for several known rooted apk's<br />
:* com.noshufou.android.su<br />
:* com.thirdparty.superuser<br />
:* eu.chainfire.supersu<br />
:* com.koushikdutta.superuser<br />
Check for SU binaries<br />
:* <tt>/system/bin/su</tt><br />
:* <tt>/system/xbin/su</tt><br />
:* <tt>/sbin/su</tt><br />
:* <tt>/system/su</tt><br />
:* <tt>/system/bin/.ext/.su</tt><br />
Attempt SU command directly<br />
:* Attempt the to run the command <tt>su</tt> and check the id of the current user, if it returns 0 then the su command has been successful<br />
<br />
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=3|risk=7}}<br />
This section outlines typical app vulnerabilities that result from a lack of binary protection. Items within parenthesis indicate examples of tools you can use to test for these vulnerabilities.<br />
<br />
==iOS Apps==<br />
<br />
:* Disabling Code Encryption (''ClutchMod'');<br />
:* Jailbreak Detection Evasion (''xcon'');<br />
:* Class Dumping (''class-dump-z'');<br />
:* Method Swizzling (''Mobile Substrate'');<br />
:* Runtime Code Injection (''cycript'');<br />
:* Runtime Monitoring (''Snoop-It'');<br />
:* Runtime Analysis (''GDB''); and<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]; Hopper'').<br />
<br />
== Android Apps==<br />
<br />
:* Bytecode Conversion (''apktool; dex2jar'');<br />
:* Runtime Analysis (''ADB'');<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]; Hopper'');<br />
:* Disassembly (''baksmali'') and<br />
:* Code Injection (''Mobile Substrate'').<br />
<br />
== Windows Phone Apps==<br />
<br />
:* .NET Decompiler (''[https://www.jetbrains.com/decompiler/ JetBrains dotPeak]; [http://ilspy.net/ ILSpy]; [http://www.red-gate.com/products/dotnet-development/reflector/ RedGate .NET Reflector] '');<br />
:* Runtime Analysis (''[https://github.com/andreycha/tangerine Tangerine]; [https://github.com/sensepost/xapspy XAPSpy]'');<br />
:* Reverse Engineering (''[https://www.hex-rays.com/products/ida/ IDA Pro]'');<br />
:* Disassembly (''[https://msdn.microsoft.com/en-us/library/f7dy01k1%28v=vs.110%29.aspx MSIL Disassembler (Ildasm.exe)]'') and<br />
<br />
<br />
There are many well-established security experts within the mobile space that have written books on the topic of binary protection testing <sup>&#91;[[#ReferenceItem13|13]]&#93;</sup> <sup>&#91;[[#ReferenceItem14|14]]&#93;</sup> <sup>&#91;[[#ReferenceItem15|15]]&#93;</sup>.<br />
<br />
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=7}}<br />
<span id="ReferenceItem1">[1] Arxan Research: [https://www.arxan.com/assets/1/7/State_of_Security_in_the_App_Economy_Report_Vol._2.pdf State of Security in the App Economy, Volume 2], November 2013:<br />
:''“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”''</span><br />
<span id="ReferenceItem2">[2] HP Research: [http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.UuwZFPZvDi5 HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack], 18 November 2013:<br />
:''"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."''</span><br />
<span id="ReferenceItem3">[3] North Carolina State University: [http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution], 7 September 2011:<br />
:''“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”''</span><br />
<span id="ReferenceItem4">[4] Tech Hive: [http://www.techhive.com/article/249310/apple_pulls_ripoff_apps_from_its_walled_garden.html Apple Pulls Ripoff Apps from its Walled Garden]Feb 4th, 2012:<br />
:''“While Apple is known for screening apps before they are allowed to sprout up in its walled garden, clearly fake apps do get in. Once they do, getting them out depends on developers who raise a fuss.”''</span><br />
<span id="ReferenceItem5">[5] Tech Crunch: [http://techcrunch.com/2014/01/02/developer-spams-google-play-with-ripoffs-of-well-known-apps-again/ Developer Spams Google Play With RipOffs of Well-Known Apps… Again], January 2 2014:<br />
:''“It’s not uncommon to search the Google Play app store and find a number of knock-off or “fake” apps aiming to trick unsuspecting searchers into downloading them over the real thing.”''</span><br />
<span id="ReferenceItem6">[6] Extreme Tech: [http://www.extremetech.com/mobile/153849-chinese-app-store-offers-pirated-ios-apps-without-the-need-to-jailbreak Chinese App Store Offers Pirated iOS Apps Without the Need To Jailbreak], April 19 2013:<br />
:''“The site offers apps for free that would otherwise cost money, including big-name titles.”''</span><br />
<span id="ReferenceItem7">[7] OWASP: [https://www.owasp.org/index.php/Architectural_Principles_That_Prevent_Code_Modification_or_Reverse_Engineering Architectural Principles That Prevent Code Modification or Reverse Engineering], January 11th 2014.</span><br />
<br />
<span id="ReferenceItem8">[8] Gartner report: Avoiding Mobile App Development Security Pitfalls, 24 May 2013:<br />
:''"For critical applications, such as transactional ones and sensitive enterprise applications, hardening should be used."''</span><br />
<span id="ReferenceItem9">[9] Gartner report: Emerging Technology Analysis: Mobile Application Shielding, March 26th, 2013:<br />
:''"As more regulated and sensitive data applications move to mobile platforms the need to increase data protection increases. Mobile application shielding presents the opportunity to security providers to offer higher data protection standards to mobile platforms that exceed mobile OS security."''</span><br />
<span id="ReferenceItem10">[10] Gartner report: Proliferating Mobile Transaction Attack Vectors and What to Do About Them, March 1st, 2013:<br />
:''"Use mobile application security testing services and self-defending application utilities to help prevent hacking attempts."''</span><br />
<span id="ReferenceItem11">[11] Gartner report: Select a Secure Mobile Wallet for Proximity, March 1st, 2013:<br />
:''"Application hardening can fortify sensitive business code against hacking attempts, such as reverse engineering”''</span><br />
<span id="ReferenceItem12">[12] Forrester paper: Choose The Right Mobile Development Solutions For Your Organization, May 6th 2013:<br />
:''“5 Key Protections: Data Protection, App Compliance, App-Level Threat Defense, Security Policy Enforcement, App Integrity”''</span><br />
<br />
<span id="ReferenceItem13">[13] John Wiley and Sons, Inc: [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 iOS Hacker's Handbook], Published May 2012, ISBN 1118204123.</span><br />
<br />
<span id="ReferenceItem14">[14] McGraw Hill Education: [http://mobilehackingexposed.com/ Mobile Hacking Exposed], Published July 2013, ISBN 0071817018.</span><br />
<br />
<span id="ReferenceItem15">[15] Publisher Unannounced: [http://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X Android Hacker's Handbook], To Be Published April 2014.</span><br />
<br />
<span id="ReferenceItem16">[16] Software Development Times: [http://sdt.bz/66393#ixzz2sHa7dFMp More than 5,000 apps in the Google Play Store are copied APKs, or 'thief-ware'], November 20 2013:<br />
:''“In most cases, the 2,140 copycat developers that were found reassembled the apps almost identically, adding new advertising SDKs to siphon profits away from the original developers.''</span><br />
<br />
<span id="ReferenceItem17">[17] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36376/two-thirds-of-personal-banking-apps-found-full-of-vulnerabilities/ Two Thirds of Personal Banking Apps Found Full of Vulnerabilities], January 3 2014:<br />
:''“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”''</span><br />
<br />
<span id="ReferenceItem18">[18] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36686/mobile-malware-infects-millions-lte-spurs-growth/ Mobile Malware Infects Millions; LTE Spurs Growth], January 29 2014:<br />
:''"Number of mobile malware samples is growing at a rapid clip, increasing by 20-fold in 2013... It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application"''</span></div>Andipannell