OWASP - User contributions [en]

Turkey

2012-06-04T10:25:50Z

Bedirhan: /* Application Security Day, İstanbul 2012, Conference */

<center>[[File:Owasptr.png]] </center>

==== About OWASP/TR ====

{{Chapter Template|chaptername=Turkey|extra=The chapter leader is [mailto:bunyamindemir~gmail.com Bunyamin Demir], Co-leader is [mailto:urgunb~hotmail.com Bedirhan Urgun]

Board Members: [mailto:ferruh~mavituna.com Ferruh Mavituna], [mailto:mesut_timur~hotmail.com Mesut Timur], [mailto:contact~onuryilmaz.info Onur Yılmaz], [mailto:eitatli@gmail.com Emin Islam Tatli]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-turkey|emailarchives=http://lists.owasp.org/pipermail/owasp-turkey}}

<paypal>Turkey</paypal>

== Chapter Brochure ==

[http://www.webguvenligi.org/docs/WGT_brosur.pdf Here you can view a brochure] explaining in Turkish the action highlights of OWASP/Türkiye during the last one and a half year [obsolete for over two years].

== Application Security Day, İstanbul 2012, Conference ==
[http://www.appsectr.org/ Application Security Day, İstanbul 2012] will be held on 9 June, Saturday, in Marmara Üniversitesi Rektörlük Binası, Sultanahmet, İstanbul.
The event aims to present an environment where key and popular application security topics will be discussed and shared. Hundreds of developers, business owners and security practitioners will be ready to increase local application security awareness. Join us!

== Local News ==
Conference

[http://www.appsectr.org/ Application Security Day, İstanbul 2012] will be held on 9 June, Saturday, in Marmara Üniversitesi Rektörlük Binası, Sultanahmet, İstanbul.

Published

[http://www.webguvenligi.org/dokuman/web-uygulama-guvenligi-kontrol-listesi-2012.html Web App Security Check List 2012 in Turkish].

== Projects/Tools/Translations ==

Here are some of the projects produced by OWASP/Türkiye;

* [http://code.google.com/p/droidalert/ DroidAlert] by Bedirhan Urgun

A proactive approach on finding fake android applications on some of the biggest android stores. Just enter a term, and droidalert searches it for you in android stores.

* [http://code.google.com/p/chiasma/ Chiasma] by Bedirhan Urgun

Instead of having a structured penetration test report (docx, pdf, html v.b.) from 3rd parties, why not getting them produce a semi-structured report (xml) that is understood well. Chiasma is a Java desktop application producing XML vulnerability report.

* [http://www.webguvenligi.org/docs/web_uygulama_guvenligi_kontrol_listesi_2010.pdf Web Uygulama Güvenliği Kontrol Listesi 2010- WebAppSec Checklist] by OWASP-Turkey

A complete set of controls related to security of web applications.

* [http://code.google.com/p/piknik/ Piknik] by Bedirhan Urgun

A compilation of a study on analyzing the possible behavior of a malicious developer...Inspired by [http://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Jeff Williams's Work]

* [http://code.google.com/p/finddomains/ FindDomains] by Mesut Timur

FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses.

* [http://dergi.webguvenligi.org/ WGT E-Magazine] by OWASP/TR and Onur Yilmaz

An online web security related magazine in Turkish with a 2 months per-issue period

* [http://ctf.webguvenligi.org/ CTF contest] by Onur Yilmaz

A CTF contest where researchers, professionals and hackers can show off their skills in an ethical way

* [http://code.google.com/p/jarvinen Jarvinen] by Gökhan Alkan & Yusuf Çeri & Bedirhan Urgun

A simple yet effective web based audit log monitoring service for Modsecurity v2. It consists of two basic parts; a (bash) shell script that parses serial logs into the mysql database and a php web application.

* [http://code.google.com/p/cammp CAMMP] by Gökhan Alkan

Aims to provide (bash) shell scripts in order to automatize the source code installations of apache (php and modsecurity) and mysql under chroot (for RedHat based systems for now).

* [http://code.google.com/p/secureimage SecureImage] by Mesut Timur & Bedirhan Urgun & Kerem Küsmezer

A Java,PHP and .NET based image validator that can be used for validating image files on upload systems (such as photo galleries,forums,etc ..) against the threats for XSS issues with IE and LFI attacks. Individual project pages; [http://code.google.com/p/psecureimage PSecureImage] for PHP, [http://code.google.com/p/jsecureimage JSecureImage] for Java and [http://www.codeplex.com/owaspturkey/Release/ProjectReleases.aspx?ReleaseId=18008 NSecureImage] for .NET

* [http://code.google.com/p/securetomcat SecureTomcat] by Bedirhan Urgun & Deniz Çevik & Gökhan Alkan

A collection of three components; an audit documentation in Turkish, a basic remote vulnerability scanner and an audit shell script fully aligned with the audit documentation. All for auditing and testing Apache Tomcat partial J2EE container.

* [http://code.google.com/p/webekci/ WeBekci] by Bünyamin Demir

WeBekci is a graphical user end for ModSecurity 2.x web application firewall.

* [http://www.webguvenligi.org/?page_id=16 Web Security Turkish Translation Project] by [http://www.webguvenligi.org/?page_id=16 great volunteers] & Bedirhan Urgun

Turkish translations of OWASP guides and other web application security related documents '''over 500 pages''' and counting

* [http://code.google.com/p/wivet/ WIVET] by Bedirhan Urgun

A benchmarking project that aims to statistically analyze web link extractors. It provides a good sum of input vectors to any extractor and presents the results. Check out the live app [http://www.webguvenligi.org/wivet/ here].

* [http://code.google.com/p/sqlibench/ SqliBench] by Mesut Timur & Bedirhan Urgun

SQLiBENCH is a benchmarking project of automatic sql injectors related to dumping databases. Check out the live app [http://www.webguvenligi.org/sqlibench/web/ here]. The project is sponsored by [http://www.owasp.org/index.php/Category:OWASP_Sqlibench_Project OWASP SoC 08].

* [http://code.google.com/p/msalparser MSALParser] by Bedirhan Urgun

MSALParser (pronounced \mi-säl\) implements necessary parsers and model objects to represent a ModSecurity Single Audit Log, hence the name MSAL. MSALParser is a PHP RPC end that will get mlogc's calls and parses them into objects and eventually write to a persistent data store.

* [http://code.google.com/p/apachelive ApacheLive] by Bedirhan Urgun

ApacheLive (aka Haydar) project consists of a python script which was aimed to stress Apache web servers (httpd) using Keep-Alive parameters.

* [http://code.google.com/p/anticsurf AntiCsurf] by Mesut Timur

For most of the languages and frameworks, developers have to implement their own functions to defend against CSRF. AntiCsrf is a basic and light library for defending against CSRF for PHP applications.

* [http://code.google.com/p/fm-fsf FM-FSF] by Ferruh Mavituna

FSF is a plug-in based freakin' simple fuzzer for fuzzing web applications and scraping data. It supports some basic stuff and missing some features however it has got some advanced RegEx capturing features for scraping data out of web applications.

* [http://code.google.com/p/msalmobile MSALMobile] & [http://code.google.com/p/msalservice MSALService] by Bedirhan Urgun

MSALMobile, a basic windows mobile application and consuming MSALService, is a simple mobile ModSecurity log analyzer for Windows Mobile environment. See [http://www.webguvenligi.org/software/msalmobile/msalmobile_video.rar a video of MSALMobile in action] on www.webguvenligi.org.

* [http://www.webguvenligi.org/xsstb/reflected.php XSS TestBed] by Bedirhan Urgun

A playground for reflected xss test cases. The live project includes seven test cases ready to exploit. A legal and solid way to learn and apply xss skills. Moreover, a good way to test web application scanners on reflected xss testing...

* [http://www.webguvenligi.org/projeler/wcsa Web.config Security Analyzer] by Mesut Timur

Web.config file holds settings about related ASP.NET web application. This project analyzes a given Web.config file for security vulnerabilities with its 30+ checks. It's a command line too for now and produces a neat html based report.

== Translations ==

Çeviri projesine yardım etmek isteyen arkadaşlar, lütfen [mailto:bunyamindemir@gmail.com bunyamin] veya [mailto:urgunb@hotmail.com bedirhan] ''(proje lideri)'' ile iletişime geçiniz. Şu ana kadar yayınlanan çevirilere [http://www.webguvenligi.org/?page_id=16 buradan] ulaşabilirsiniz. ''You can find Turkish translations of OWASP and other web security related documents [http://www.webguvenligi.org/?page_id=16 here].''

==== Meetings/Conferences ====

== OWASP/TR Presentation in Android Developer Days 2012 in ODTU Ankara ==

Bedirhan Urgun of OWASP/TR will give a presentation on "Developing Secure Android Days" on 22 May from 15:30-16:00 in Android Developer Days, 2012. The presentation will take place in ODTU, Ankara.

Location: ODTÜ Kültür ve Kongre Merkezi, Ankara

Date: 22 May 2012, Tuesday

Time: 15:30 – 16:00

== OWASP/TR Presentation in ReadMee Internet Zirvesi, 2012 ==

Seyfullah Kılıç will give a presentation titled "Web Güvenliği ve Korunma Yolları" on 07 April Saturday from 14:00-14:45 in ReadMee Internet Zirvesi, 2012. The presentation will take place in Eskişehir Osmangazi Üniversitesi, Eskişehir.

Location: Eskişehir Osmangazi Üniversitesi Meşelik Kampüsü, Eskişehir

Date: 7 April 2012 Saturday

Time: 14:00 – 14:45

== OWASP/TR Presentation in Özgür Yazılım ve Linux Günleri, 2012 ==

Bünyamin Demir of OWASP/TR will give a presentation titled as "
Güvenli Kod Geliştirme" and will hold a chapter meeting "OWASP Türkiye Chapter Meeting (Çalışma Toplantısı)" on 31 March Saturday from 10:00-13:00 in Özgür Yazılım ve Linux Günleri, 2012. The presentations will take place in İstanbul Bilgi Üniversitesi Dolapdere Kampüsü, İstanbul.

Location: İstanbul Bilgi Üniversitesi Dolapdere Kampüsü, İstanbul

Date: 31 March 2012 Saturday

Time: 10:00 – 13:00

Location 1: 1. Salon
Location 2: Toplantı Salonu

== OWASP/TR Talk in Open Source Code Days in Yeditepe University ==

Bunyamin Demir talked about OWASP and OWASP/Turkey introduction. After intro, he did a presentation about [http://seminer.linux.org.tr/wp-content/uploads/guvenli_kod_gelistirme_ve_yasam_dongusu.ppt "Secure Coding and Chaotic Life Cycle"].

Location: Yeditepe University, 26 Agustos Yerlesimi, Salon 2

Date: 14 October 2011, Friday

Time: 15:00 – 15:45

== OWASP/TR Introductory Meetings and Seminar @ Bahçeşehir Üniversitesi, March 2010 ==

[http://www.shibumidojo.org/ Kubilay Onur Güngör] will start with OWASP and OWASP/Turkey introduction. After intro, cyber security concept, web application security, social theories of criminal behaviors and many other topics will be discussed. So don't miss the events if you're around.

Location: Bahçeşehir Üniversitesi, Beşiktaş Kampüsü, D-404 Salonu

Date: 10 Mart 2010 Çarşamba

Time: 18.30 – 19.30

== OWASP/TR Introductory Meetings and Seminar @ Işık Üniversitesi, March 2010 ==

[http://www.shibumidojo.org/ Kubilay Onur Güngör] will start with OWASP and OWASP/Turkey introduction. After intro, cyber security concept, web application security, social theories of criminal behaviors and many other topics will be discussed. So don't miss the events if you're around.

Location: Işık Üniversitesi, Şile Kampüsü
Registration: http://bilisimgunleri.isikun.edu.tr
Date: 8 Mart 2010 Pazartesi
Time: 15.00 - 16.00

== OWASP/TR Meeting in Turkcell Akademi with OISF Team, February 2010 ==

With 7 [http://www.openinfosecfoundation.org OISF] members we had our 23 February meeting. Brian [http://vimeo.com/9825055 talked about ModSecurity] and Victor & Will [http://vimeo.com/9825622 talked about Suricata ].

As always, check out the photos on [http://www.flickr.com/photos/webguvenligi flickr-webguvenligi]!!

Thanks to our sponsor for this meeting [http://www.guvenlikegitimleri.com GuvenlikEgitimleri.Com]

== OWASP/TR Seminar in İstanbul Kültür Universitesi, 29 December 2009 ==

We'll be hosting a free seminar in İstanbul Kültür Üniversitesi, Ataköy Kampüsü, Önder Öztunalı Konferans Salonu. Topics will include "introduction to OWASP/TR", "siber security", "security best practices and standards". It will also include a demo on digital investigation.

Presenter: [http://www.shibumidojo.org/ Kubilay Onur Güngör]

Date: Tuesday, December 29, 2009

Time: 12:00pm - 1:30pm

Location: İstanbul Kültür Üniersitesi, Ataköy Kampüsü, Önder Öztunalı Konferans Salonu

== October 11, 2009 OWASP/TR on the Green Field ==

Teams formed by OWASP-Turkey mailing list members will play a soccer match on Sunday, 18:00 October the 11th. We'll seek our Messis, Zidanes, Kakas, Lampards, Chechs stemmed from the Anatolian land... National team may not be qualified for the 2010 World Championship, which is a shame, but we'll do better next time.

== Artifacts - OWASP-Turkey Meeting in September 26, 2009 ==

30 people gathered for the OWASP/TR meeting. Here's the [http://www.webguvenligi.org/docs/26_Eylul_OWASPTR_Bulusma.ppt agenda of the meeting]. Moreover, Ibrahim Saruhan gave a [http://www.webguvenligi.org/docs/Facebook_Twitter_Botnets.ppt presentation] on his experiences writing a PoC Facebook botnet. Thanks everyone for participating.

See the [http://www.flickr.com/webguvenligi/ pictures] and listen to the DimDim [http://recp.dimdim.com/view/dimdim/1a9400f2-fbdb-102c-9515-003048642bd7 recording].

== September 26 Meeting ==

A regular meeting for anyone interested in web/software security. It will take place in Istanbul, Taksim at 14:00, on 26 September.

== Artifacts - 06 May/13 May 2009 OWASP-TR Talks in Kocaeli & Gazi Universities ==

Here are the presentations given by Bünyamin Demir and Onur Yılmaz at "Information Techonology Days" in [http://www.kocaeli.edu.tr/ Kocaeli University] and [http://www.gazi.edu.tr/ Gazi University], [http://www.webguvenligi.org/docs/kocaeli09owasptr.ppt OWASP-TR & WebGoat Presentation] and [http://www.webguvenligi.org/docs/gaziuni09owasptr.ppt Basic Web App Security Presentation] respectively.

Pictures are on [http://www.flickr.com/photos/webguvenligi flicker] as always.

== Web Application Security Talk in Gazi University, 13 May 2009 ==

We'll be giving a talk in "Information Days" event at Gazi University about code/sql injection attack vectors and prevention techniques on 13th (Wednesday) of May 2009, between 10:30-11:20.

Reach out the details [http://www.webguvenligi.org/haberler/web-uygulamalari-guvenligi-sunumu-gazi-universitesi.html here]

== OWASP-TR Seminar in Kocaeli University, 06 May 2009 ==

We'll be hosting a free seminar in Math. Department of Kocaeli University about OWASP and OWASP/Turkey including the basics of well known attack vectors and prevention techniques on 6th (Wednesday) of May 2009, starting from 15:30.

Reach out the details [http://www.webguvenligi.org/haberler/owasp-tr-ve-wgt-semineri-kocaeli-universitesi.html here]

== Artifacts - March 19 2009 OWASP-TR Talk in Sakarya University ==

Here are the presentations given by Bünyamin Demir and Gökhan Alkan at "Information Techonology Days" in [http://www.sau.edu.tr/ Sakarya University], [http://www.webguvenligi.org/sau_bilisim_gunleri09/sakarya_bilisim_gunleri.ppt OWASP-TR & WebGoat Presentation] and [http://www.webguvenligi.org/sau_bilisim_gunleri09/Recel_Krallagindan_Webe.ppt Jarvinen Presentation] respectively. We'd like to thank [http://www.bilisimk.sau.edu.tr/ Sakarya Universitesi Bilişim Kulubü] for inviting us.

And never the least, here are the [http://www.flickr.com/photos/webguvenligi pictures] taken during the day.

== Talk in Information Techonology Days '09 in Sakarya University ==

We'll be giving two talks in "Information Techonology Days" about OWASP and OWASP/Turkey in [http://www.sau.edu.tr/ Sakarya University] on 19th of March 2009. The talk will include an introduction to OWASP, OWASP/Turkey as a community. Plus, Jarvinen, an OWASP/TR project, will be presented.

== Artifacts - Fifth OWASP-Turkey Meeting in March 08, 2009 ==

We had close to 35 people gathered. Here's the [http://www.webguvenligi.org/docs/WGT_OWASP-TR_08_Mart_2009_Bulusmasi_Ajanda.pptx agenda of the meeting]. Moreover, Fatih Emiral gave a [http://www.webguvenligi.org/docs/Yazilim_Guvenligi.ppt presentation] comparing three main Software Security models. Thanks everyone for participating.

For the photos take a look at [http://www.flickr.com/photos/webguvenligi/ here].

== Fifth OWASP-Turkey Meeting in March 08, 2009 ==

A regular meeting on web/software security related issues&techniques&news. The meeting will take place in Istanbul, Maltepe, beween 13:00-15:00, on 08th of March, Sunday.
Here's the map for the [http://www.gencgirisimciler.org/bpi.asp?caid=161&cid=17 meeting place]
If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

== Artifacts - Web Security Days Kocaeli December 2008 ==

With over 50 attendees we had our 4th Web Security Days in Kocaeli University at Umuttepe Campus.

Presentations & SlideShows & Photos:
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_intro.ppt Giris] - Bedirhan Urgun
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_owasptr_wgt.ppt WGT/OWASPTR] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_www.ppt WWW Introduction] - Uğur Yıldız
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_csrf.ppt CSRF] - Yusuf Çeri
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_graphics.ppt Graphic Attacks] - Mesut Timur
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_chroot.ppt Secure Web Production Environments] - Gökhan Alkan
* [http://www.flickr.com/webguvenligi/ Pictures] - Bedirhan & Bünyamin
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_slideshow.ppt OWASP Top 10 Slide Show] - Bedirhan Urgun

== Next Event - 4th Web Security Days Kocaeli - December 23 (Turkey 2008) ==

This event will be the fourth of "Web Security Days" and will take place on 23rd of December 2008 in Kocaeli. The agenda of the event is [http://www.owasp.org/index.php/4th_Web_Security_Days_OWASP_Turkey here].

== Artifacts - Fourth OWASP-Turkey Meeting in October 18, 2008 ==

Here's the [http://www.webguvenligi.org/wp-content/uploads/2008/10/WGT&OWASP-TR_18_Ekim_2008_Bulusmasi_Ajanda.ppt agenda of the meeting]. We also had two small discussion and presentation of a simple demo overview of recent clickjacking vulnerability and [http://www.webguvenligi.org/wp-content/uploads/2008/10/sqlibench-presentation.ppt sqlibench SoC 2008 OWASP project]. Thanks everyone for participating.

Moreover, all of the OWASP sent books (~30)/pens(~15) were distributed freely!

For the photos take a look at [http://www.flickr.com/photos/webguvenligi/ here].

== Fourth OWASP-Turkey Meeting in October 18, 2008 ==

A catch up meeting on web/software security related issues&techniques&news. Moreover, OWASP sent goodies (to the most active chapters) will be distributed (This includes 27 OWASP books and 19 pens). It will take place in Istanbul, İstiklal Cad.Emir Nevruz Sok. No: 1/11 Galatasaray Beyoğlu beween 14:00-16:00, on 18th of October. If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

== Artifacts - June 21 2008 OWASP-TR Talk in "Free Software Conference" ==

Here is the presentation given by Mesut Timur and keynote submitted at [http://konferans.linux.org.tr/ "Free Software Conference"] in [http://www.etu.edu.tr/ TOBB University of Economics and Technology];
[http://www.webguvenligi.org/wp-content/uploads/2008/06/owasp_wgt_lkd_21062008.ppt OWASP-TR Presentation] and [http://www.webguvenligi.org/wp-content/uploads/2008/06/webguvenligi_bildiri_lkd_21062008.pdf Web Security and Free Software Keynote] (in Turkish) respectively.

== Talk in Free Software Conference in Ankara ==

We'll be giving a talk in "Free Software Conference" about OWASP and OWASP/Turkey in [http://www.etu.edu.tr/ TOBB University of Economics and Technology] on 21st (Saturday) of June 2008. The talk will include an introduction to OWASP, OWASP/Turkey, as well as web/application security projects achieved in Turkey.

The Day will start at 09:30 and our talk, which will be presented by [http://www.h-labs.org Mesut Timur], will be between 15.00-15.30. You can skim the programme [http://konferans.linux.org.tr/etkinlik-programi/ here].

== Artifacts - April 19 2008 OWASP-TR Talk in Yildiz Technical University ==

Here are the presentations given by Bünyamin Demir and Yusuf Çeri at "Open Source Code Day" in [http://www.yildiz.edu.tr/english Yildiz Technical University], [http://www.webguvenligi.org/wp-content/uploads/2008/04/owasp-wgt-ytu-19nisan08.ppt OWASP-TR Presentation] and [http://www.webguvenligi.org/wp-content/uploads/2008/04/sqlmapdemo-wgt-ytu-19nisan08.ppt SqlDemo Presentation] respectively. We'd like to thank YTÜ Bilişim Kulubü for inviting us.

And never the least, here are the [http://www.flickr.com/photos/webguvenligi/sets/72157604620396950/ pictures] taken during the day.

== Talk in Open Source Code Day in Yildiz Technical University ==

We'll be giving a talk in "Open Source Code Day" about OWASP and OWASP/Turkey in [http://www.yildiz.edu.tr/english Yildiz Technical University] on 19th of April 2008. The talk will include an introduction to OWASP, OWASP/Turkey, web/application security community in Turkey, the 1st OWASP Day video by Jeff and a live application insecurity demo.

The Day will start at 09:30 and our talk will be the last one before the noon.

== Artifacts - March 09 2008 Meeting ==

It was a nice Sunday in Istanbul and we had 16 people talking about SPoC 08, April OWASP Week and web application security in general. Here are the [http://www.flickr.com/photos/webguvenligi/sets/72157604077351886/ pictures] taken during the meeting.

== March 09 Meeting ==

A casual meeting for anyone interested in web/software security. It will take place in Istanbul, Kadikoy at 14:30, on 09 March. To chat and enjoy the [http://www.flickr.com/photos/jrogivue/21918611/ Bosphorus]!

== Artifacts - Web Security Days Ankara & İzmir November 2007 ==

Through a foggy, and therefore a hard flight, we've managed to realize Web Security Days 2 & 3 in Ankara and Izmir, respectively. Having a total of ~130 attendees (most of them in Izmir), we hope WSD to be traditional and become more qualitysome.

Presentations & Code & Photos:
* [http://www.webguvenligi.org/docs/ankara/init_ankara.ppt Giris] - Bedirhan Urgun
* [http://www.webguvenligi.org/docs/ankara/wgt.ppt WGT Giris] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/izmir/ulakcsirt.pdf ULAK-CSIRT Giris] - Enis Karaarslan
* [http://www.webguvenligi.org/docs/ankara/burak_sc.ppt Yazılım Geliştirme Sürecinde Güvenlik Testleri] - Burak Dayıoğlu
* [http://www.webguvenligi.org/docs/izmir/enis_web.ppt Kurumsal Web Güvenliği Yapısı] - Enis Karaarslan
* [http://www.webguvenligi.org/docs/izmir/tahsin_did.ppt Uygulamalarda Katmanlı Güvenlik Anlayışı] - Tahsin Türköz
* [http://www.webguvenligi.org/docs/izmir/oguzhan_php.ppt PHP ve Güvenli Kodlama] - Oğuzhan Yalçın
* [http://www.webguvenligi.org/docs/ankara/bunyamin_pl.ppt Perl'de Guvenlik Modulu] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/izmir/security_pm.rar Perl'de Guvenlik Modulu - Kod] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/ankara/bedirhan_js.ppt Web 2.0 Savunma Dili: Javascript] - Bedirhan Urgun
* [http://www.flickr.com/photos/webguvenligi/sets/72157603311164597/ Photos] - Bedirhan & Bünyamin

== Next Event - 3rd Web Security Days İzmir - November 26 (Turkey 2007) ==

This event will be the third of "Web Security Days" and will take place on 26th of November 2007 in İzmir. The agenda of the event is [https://www.owasp.org/index.php/3rd_Web_Security_Days_OWASP_Turkey here].

== Next Event - 2nd Web Security Days Ankara - November 24 (Turkey 2007) ==

This event will be the second of "Web Security Days" and will take place on 24th of November 2007 in Ankara.
The agenda of the event is [https://www.owasp.org/index.php/2nd_Web_Security_Days_OWASP_Turkey here].

== Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) ==

Presentations:

* [https://www.owasp.org/images/6/66/OWASP_DAY_TR.sub.ppt Turkish Subtitle] for [http://www.owasp.org/downloads/OWASP_Day.wmv Jeff's OWASP Day Intro movie] (delete .ppt extension)
* [https://www.owasp.org/images/b/bc/OWASP2007_KamudaPrivacy.ppt OWASP2007_KamudaPrivacy.ppt‎]
* [https://www.owasp.org/images/4/4b/Guvenli_Web_Uygulamalarinin_Gelistirilmesi2.ppt Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt]

Discussion Answers:

Q1.
What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1.
During the meeting an effort was made to clarify the meaning of privacy;
- what are the key items that builds up to "privacy"?
- are we talking about the privacy of real people or should we also include the privacy of legal entities?
- is there really a solid line (or even a vague line) between confidentiality and privacy?
We defined privacy as confidentiality of the data; be it of a real person or a legal entity.
But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions;
The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2.
Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2.
Most of the participants agreed that a law is a necessity.
But, maybe, more important thing is to raise the awareness of the customers.
Here we also had a discussion on the current status of the law on privacy? There are mainly three
documents on privacy in Turkish law;
* a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer)
* a draft law on privacy from Department of Justice, which is still in the process of approval
* a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the
European Parliament and of the Council" on the data retention. This law, however, still needs a few
directives, which are about to be published.

Q3.
Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3.
As a first step there should be an "agreement" presented to the user by the application side.
This wouldn't be enough so there should be regular inspections (a third eye) on these services.
About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer
was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts
dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is
a domain serving, founded by the victims of online banking crimes in Turkey.

Q4.
What should OWASP be focusing on?

A4.
As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui
on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5.
What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5.
Some suggestions;
. Printed booklets of Guide and Testing Guide.
. OWASP CD with shiny labels
. I'm afraid to say but... t-shirts

Q6.
Should OWASP organize such 'OWASP Weeks' every quarter?

A6.
OWASP should organize these events every 6 months or so :)

== Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) ==

As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event ([http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days]) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:

* 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR

* 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ
Chief Researcher CC Lab-UEKAE TUBITAK

* 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER
Chief Researcher PRO-G

* 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

== Last Event - 1st Web Security Days - July 14 (Turkey 2007) ==

First of the [http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days] has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

[http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey For details...]

== Last Meetings ==

'''Sunday 6 May 2007''' 
'''Time:''' 11:15-12:30 

'''Address''' to the meeting are:

[http://www.metu.edu.tr Middle East Technical University] 
Ankara-Turkey 
 

'''Presentation''' 

Web Application Security with ModSecurity and OWASP

__NOTOC__

<headertabs/>
[[Category:Middle East]]

2009-11-22T11:56:09Z

Bedirhan:

<center>[[File:Owasptr.png]] </center>

==== About OWASP/TR ====

{{Chapter Template|chaptername=Turkey|extra=The members are [mailto:bunyamindemir~gmail.com Bunyamin Demir], [mailto:gokhan.alkan~yahoo.com.tr Gökhan Alkan], [mailto:ferruh~mavituna.com Ferruh Mavituna], [mailto:mesut_timur~hotmail.com Mesut Timur], [mailto:yusufceri4~gmail.com Yusuf Çeri], [mailto:contact~onuryilmaz.info Onur Yılmaz], [mailto:urgunb~hotmail.com Bedirhan Urgun]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-turkey|emailarchives=http://lists.owasp.org/pipermail/owasp-turkey}}

<paypal>Turkey</paypal>

==== Local News/Brochure ====

== Local News ==

Two new projects from OWASP/TR;

* Capture The Flag contest now online at [http://ctf.webguvenligi.org/ http://ctf.webguvenligi.org/] with the courtesy of Onur Yilmaz. (Naturally ethical) successfull first two attackers will be rewarded by two security related books!

* [http://dergi.webguvenligi.org E-Magazine] web security magazine in Turkish, now online with its second issue!

== Chapter Brochure ==

[http://www.webguvenligi.org/docs/WGT_brosur.pdf Here you can view a brochure] explaining in Turkish the action highlights of OWASP/Türkiye during the last one and a half year [somewhat obsolete for a solid 8-9 months].

==== Projects/Tools/Translations ====

Here are some of the projects produced by OWASP/Türkiye;

* [http://dergi.webguvenligi.org/ WGT E-Magazine] by OWASP/TR and Onur Yilmaz

An online web security related magazine in Turkish with a 2 months per-issue period

* [http://ctf.webguvenligi.org/ CTF contest] by Onur Yilmaz

A CTF contest where researchers, professionals and hackers can show off their skills in an ethical way

* [http://code.google.com/p/jarvinen Jarvinen] by Gökhan Alkan & Yusuf Çeri & Bedirhan Urgun

A simple yet effective web based audit log monitoring service for Modsecurity v2. It consists of two basic parts; a (bash) shell script that parses serial logs into the mysql database and a php web application.

* [http://code.google.com/p/cammp CAMMP] by Gökhan Alkan

Aims to provide (bash) shell scripts in order to automatize the source code installations of apache (php and modsecurity) and mysql under chroot (for RedHat based systems for now).

* [http://code.google.com/p/secureimage SecureImage] by Mesut Timur & Bedirhan Urgun & Kerem Küsmezer

A Java,PHP and .NET based image validator that can be used for validating image files on upload systems (such as photo galleries,forums,etc ..) against the threats for XSS issues with IE and LFI attacks. Individual project pages; [http://code.google.com/p/psecureimage PSecureImage] for PHP, [http://code.google.com/p/jsecureimage JSecureImage] for Java and [http://www.codeplex.com/owaspturkey/Release/ProjectReleases.aspx?ReleaseId=18008 NSecureImage] for .NET

* [http://code.google.com/p/securetomcat SecureTomcat] by Bedirhan Urgun & Deniz Çevik & Gökhan Alkan

A collection of three components; an audit documentation in Turkish, a basic remote vulnerability scanner and an audit shell script fully aligned with the audit documentation. All for auditing and testing Apache Tomcat partial J2EE container.

* [http://code.google.com/p/webekci/ WeBekci] by Bünyamin Demir

WeBekci is a graphical user end for ModSecurity 2.x web application firewall.

* [http://www.webguvenligi.org/?page_id=16 Web Security Turkish Translation Project] by [http://www.webguvenligi.org/?page_id=16 great volunteers] & Bedirhan Urgun

Turkish translations of OWASP guides and other web application security related documents '''over 500 pages''' and counting

* [http://code.google.com/p/wivet/ WIVET] by Bedirhan Urgun

A benchmarking project that aims to statistically analyze web link extractors. It provides a good sum of input vectors to any extractor and presents the results. Check out the live app [http://www.webguvenligi.org/wivet/ here].

* [http://code.google.com/p/sqlibench/ SqliBench] by Mesut Timur & Bedirhan Urgun

SQLiBENCH is a benchmarking project of automatic sql injectors related to dumping databases. Check out the live app [http://www.webguvenligi.org/sqlibench/web/ here]. The project is sponsored by [http://www.owasp.org/index.php/Category:OWASP_Sqlibench_Project OWASP SoC 08].

* [http://code.google.com/p/msalparser MSALParser] by Bedirhan Urgun

MSALParser (pronounced \mi-säl\) implements necessary parsers and model objects to represent a ModSecurity Single Audit Log, hence the name MSAL. MSALParser is a PHP RPC end that will get mlogc's calls and parses them into objects and eventually write to a persistent data store.

* [http://code.google.com/p/apachelive ApacheLive] by Bedirhan Urgun

ApacheLive (aka Haydar) project consists of a python script which was aimed to stress Apache web servers (httpd) using Keep-Alive parameters.

* [http://code.google.com/p/anticsurf AntiCsurf] by Mesut Timur

For most of the languages and frameworks, developers have to implement their own functions to defend against CSRF. AntiCsrf is a basic and light library for defending against CSRF for PHP applications.

* [http://code.google.com/p/fm-fsf FM-FSF] by Ferruh Mavituna

FSF is a plug-in based freakin' simple fuzzer for fuzzing web applications and scraping data. It supports some basic stuff and missing some features however it has got some advanced RegEx capturing features for scraping data out of web applications.

* [http://code.google.com/p/msalmobile MSALMobile] & [http://code.google.com/p/msalservice MSALService] by Bedirhan Urgun

MSALMobile, a basic windows mobile application and consuming MSALService, is a simple mobile ModSecurity log analyzer for Windows Mobile environment. See [http://www.webguvenligi.org/software/msalmobile/msalmobile_video.rar a video of MSALMobile in action] on www.webguvenligi.org.

* [http://www.webguvenligi.org/xsstb/reflected.php XSS TestBed] by Bedirhan Urgun

A playground for reflected xss test cases. The live project includes seven test cases ready to exploit. A legal and solid way to learn and apply xss skills. Moreover, a good way to test web application scanners on reflected xss testing...

* [http://www.webguvenligi.org/projeler/wcsa Web.config Security Analyzer] by Mesut Timur

Web.config file holds settings about related ASP.NET web application. This project analyzes a given Web.config file for security vulnerabilities with its 30+ checks. It's a command line too for now and produces a neat html based report.

== Translations ==

Çeviri projesine yardım etmek isteyen arkadaşlar, lütfen [mailto:bunyamindemir@gmail.com bunyamin] veya [mailto:urgunb@hotmail.com bedirhan] ''(proje lideri)'' ile iletişime geçiniz. Şu ana kadar yayınlanan çevirilere [http://www.webguvenligi.org/?page_id=16 buradan] ulaşabilirsiniz. ''You can find Turkish translations of OWASP and other web security related documents [http://www.webguvenligi.org/?page_id=16 here].''

==== Meetings/Conferences ====

== October 11, 2009 OWASP/TR on the Green Field ==

Teams formed by OWASP-Turkey mailing list members will play a soccer match on Sunday, 18:00 October the 11th. We'll seek our Messis, Zidanes, Kakas, Lampards, Chechs stemmed from the Anatolian land... National team may not be qualified for the 2010 World Championship, which is a shame, but we'll do better next time.

== Artifacts - OWASP-Turkey Meeting in September 26, 2009 ==

30 people gathered for the OWASP/TR meeting. Here's the [http://www.webguvenligi.org/docs/26_Eylul_OWASPTR_Bulusma.ppt agenda of the meeting]. Moreover, Ibrahim Saruhan gave a [http://www.webguvenligi.org/docs/Facebook_Twitter_Botnets.ppt presentation] on his experiences writing a PoC Facebook botnet. Thanks everyone for participating.

See the [http://www.flickr.com/webguvenligi/ pictures] and listen to the DimDim [http://recp.dimdim.com/view/dimdim/1a9400f2-fbdb-102c-9515-003048642bd7 recording].

== September 26 Meeting ==

A regular meeting for anyone interested in web/software security. It will take place in Istanbul, Taksim at 14:00, on 26 September.

== Artifacts - 06 May/13 May 2009 OWASP-TR Talks in Kocaeli & Gazi Universities ==

Here are the presentations given by Bünyamin Demir and Onur Yılmaz at "Information Techonology Days" in [http://www.kocaeli.edu.tr/ Kocaeli University] and [http://www.gazi.edu.tr/ Gazi University], [http://www.webguvenligi.org/docs/kocaeli09owasptr.ppt OWASP-TR & WebGoat Presentation] and [http://www.webguvenligi.org/docs/gaziuni09owasptr.ppt Basic Web App Security Presentation] respectively.

Pictures are on [http://www.flickr.com/photos/webguvenligi flicker] as always.

== Web Application Security Talk in Gazi University, 13 May 2009 ==

We'll be giving a talk in "Information Days" event at Gazi University about code/sql injection attack vectors and prevention techniques on 13th (Wednesday) of May 2009, between 10:30-11:20.

Reach out the details [http://www.webguvenligi.org/haberler/web-uygulamalari-guvenligi-sunumu-gazi-universitesi.html here]

== OWASP-TR Seminar in Kocaeli University, 06 May 2009 ==

We'll be hosting a free seminar in Math. Department of Kocaeli University about OWASP and OWASP/Turkey including the basics of well known attack vectors and prevention techniques on 6th (Wednesday) of May 2009, starting from 15:30.

Reach out the details [http://www.webguvenligi.org/haberler/owasp-tr-ve-wgt-semineri-kocaeli-universitesi.html here]

== Artifacts - March 19 2009 OWASP-TR Talk in Sakarya University ==

Here are the presentations given by Bünyamin Demir and Gökhan Alkan at "Information Techonology Days" in [http://www.sau.edu.tr/ Sakarya University], [http://www.webguvenligi.org/sau_bilisim_gunleri09/sakarya_bilisim_gunleri.ppt OWASP-TR & WebGoat Presentation] and [http://www.webguvenligi.org/sau_bilisim_gunleri09/Recel_Krallagindan_Webe.ppt Jarvinen Presentation] respectively. We'd like to thank [http://www.bilisimk.sau.edu.tr/ Sakarya Universitesi Bilişim Kulubü] for inviting us.

And never the least, here are the [http://www.flickr.com/photos/webguvenligi pictures] taken during the day.

== Talk in Information Techonology Days '09 in Sakarya University ==

We'll be giving two talks in "Information Techonology Days" about OWASP and OWASP/Turkey in [http://www.sau.edu.tr/ Sakarya University] on 19th of March 2009. The talk will include an introduction to OWASP, OWASP/Turkey as a community. Plus, Jarvinen, an OWASP/TR project, will be presented.

== Artifacts - Fifth OWASP-Turkey Meeting in March 08, 2009 ==

We had close to 35 people gathered. Here's the [http://www.webguvenligi.org/docs/WGT_OWASP-TR_08_Mart_2009_Bulusmasi_Ajanda.pptx agenda of the meeting]. Moreover, Fatih Emiral gave a [http://www.webguvenligi.org/docs/Yazilim_Guvenligi.ppt presentation] comparing three main Software Security models. Thanks everyone for participating.

For the photos take a look at [http://www.flickr.com/photos/webguvenligi/ here].

== Fifth OWASP-Turkey Meeting in March 08, 2009 ==

A regular meeting on web/software security related issues&techniques&news. The meeting will take place in Istanbul, Maltepe, beween 13:00-15:00, on 08th of March, Sunday.
Here's the map for the [http://www.gencgirisimciler.org/bpi.asp?caid=161&cid=17 meeting place]
If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

== Artifacts - Web Security Days Kocaeli December 2008 ==

With over 50 attendees we had our 4th Web Security Days in Kocaeli University at Umuttepe Campus.

Presentations & SlideShows & Photos:
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_intro.ppt Giris] - Bedirhan Urgun
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_owasptr_wgt.ppt WGT/OWASPTR] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_www.ppt WWW Introduction] - Uğur Yıldız
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_csrf.ppt CSRF] - Yusuf Çeri
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_graphics.ppt Graphic Attacks] - Mesut Timur
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_chroot.ppt Secure Web Production Environments] - Gökhan Alkan
* [http://www.flickr.com/webguvenligi/ Pictures] - Bedirhan & Bünyamin
* [http://www.webguvenligi.org/docs/kocaeli/wgg4_slideshow.ppt OWASP Top 10 Slide Show] - Bedirhan Urgun

== Next Event - 4th Web Security Days Kocaeli - December 23 (Turkey 2008) ==

This event will be the fourth of "Web Security Days" and will take place on 23rd of December 2008 in Kocaeli. The agenda of the event is [http://www.owasp.org/index.php/4th_Web_Security_Days_OWASP_Turkey here].

== Artifacts - Fourth OWASP-Turkey Meeting in October 18, 2008 ==

Here's the [http://www.webguvenligi.org/wp-content/uploads/2008/10/WGT&OWASP-TR_18_Ekim_2008_Bulusmasi_Ajanda.ppt agenda of the meeting]. We also had two small discussion and presentation of a simple demo overview of recent clickjacking vulnerability and [http://www.webguvenligi.org/wp-content/uploads/2008/10/sqlibench-presentation.ppt sqlibench SoC 2008 OWASP project]. Thanks everyone for participating.

Moreover, all of the OWASP sent books (~30)/pens(~15) were distributed freely!

For the photos take a look at [http://www.flickr.com/photos/webguvenligi/ here].

== Fourth OWASP-Turkey Meeting in October 18, 2008 ==

A catch up meeting on web/software security related issues&techniques&news. Moreover, OWASP sent goodies (to the most active chapters) will be distributed (This includes 27 OWASP books and 19 pens). It will take place in Istanbul, İstiklal Cad.Emir Nevruz Sok. No: 1/11 Galatasaray Beyoğlu beween 14:00-16:00, on 18th of October. If you want to attend the event, please send an e-mail to: urgunb at hotmail.com (Bedirhan Urgun)

== Artifacts - June 21 2008 OWASP-TR Talk in "Free Software Conference" ==

Here is the presentation given by Mesut Timur and keynote submitted at [http://konferans.linux.org.tr/ "Free Software Conference"] in [http://www.etu.edu.tr/ TOBB University of Economics and Technology];
[http://www.webguvenligi.org/wp-content/uploads/2008/06/owasp_wgt_lkd_21062008.ppt OWASP-TR Presentation] and [http://www.webguvenligi.org/wp-content/uploads/2008/06/webguvenligi_bildiri_lkd_21062008.pdf Web Security and Free Software Keynote] (in Turkish) respectively.

== Talk in Free Software Conference in Ankara ==

We'll be giving a talk in "Free Software Conference" about OWASP and OWASP/Turkey in [http://www.etu.edu.tr/ TOBB University of Economics and Technology] on 21st (Saturday) of June 2008. The talk will include an introduction to OWASP, OWASP/Turkey, as well as web/application security projects achieved in Turkey.

The Day will start at 09:30 and our talk, which will be presented by [http://www.h-labs.org Mesut Timur], will be between 15.00-15.30. You can skim the programme [http://konferans.linux.org.tr/etkinlik-programi/ here].

== Artifacts - April 19 2008 OWASP-TR Talk in Yildiz Technical University ==

Here are the presentations given by Bünyamin Demir and Yusuf Çeri at "Open Source Code Day" in [http://www.yildiz.edu.tr/english Yildiz Technical University], [http://www.webguvenligi.org/wp-content/uploads/2008/04/owasp-wgt-ytu-19nisan08.ppt OWASP-TR Presentation] and [http://www.webguvenligi.org/wp-content/uploads/2008/04/sqlmapdemo-wgt-ytu-19nisan08.ppt SqlDemo Presentation] respectively. We'd like to thank YTÜ Bilişim Kulubü for inviting us.

And never the least, here are the [http://www.flickr.com/photos/webguvenligi/sets/72157604620396950/ pictures] taken during the day.

== Talk in Open Source Code Day in Yildiz Technical University ==

We'll be giving a talk in "Open Source Code Day" about OWASP and OWASP/Turkey in [http://www.yildiz.edu.tr/english Yildiz Technical University] on 19th of April 2008. The talk will include an introduction to OWASP, OWASP/Turkey, web/application security community in Turkey, the 1st OWASP Day video by Jeff and a live application insecurity demo.

The Day will start at 09:30 and our talk will be the last one before the noon.

== Artifacts - March 09 2008 Meeting ==

It was a nice Sunday in Istanbul and we had 16 people talking about SPoC 08, April OWASP Week and web application security in general. Here are the [http://www.flickr.com/photos/webguvenligi/sets/72157604077351886/ pictures] taken during the meeting.

== March 09 Meeting ==

A casual meeting for anyone interested in web/software security. It will take place in Istanbul, Kadikoy at 14:30, on 09 March. To chat and enjoy the [http://www.flickr.com/photos/jrogivue/21918611/ Bosphorus]!

== Artifacts - Web Security Days Ankara & İzmir November 2007 ==

Through a foggy, and therefore a hard flight, we've managed to realize Web Security Days 2 & 3 in Ankara and Izmir, respectively. Having a total of ~130 attendees (most of them in Izmir), we hope WSD to be traditional and become more qualitysome.

Presentations & Code & Photos:
* [http://www.webguvenligi.org/docs/ankara/init_ankara.ppt Giris] - Bedirhan Urgun
* [http://www.webguvenligi.org/docs/ankara/wgt.ppt WGT Giris] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/izmir/ulakcsirt.pdf ULAK-CSIRT Giris] - Enis Karaarslan
* [http://www.webguvenligi.org/docs/ankara/burak_sc.ppt Yazılım Geliştirme Sürecinde Güvenlik Testleri] - Burak Dayıoğlu
* [http://www.webguvenligi.org/docs/izmir/enis_web.ppt Kurumsal Web Güvenliği Yapısı] - Enis Karaarslan
* [http://www.webguvenligi.org/docs/izmir/tahsin_did.ppt Uygulamalarda Katmanlı Güvenlik Anlayışı] - Tahsin Türköz
* [http://www.webguvenligi.org/docs/izmir/oguzhan_php.ppt PHP ve Güvenli Kodlama] - Oğuzhan Yalçın
* [http://www.webguvenligi.org/docs/ankara/bunyamin_pl.ppt Perl'de Guvenlik Modulu] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/izmir/security_pm.rar Perl'de Guvenlik Modulu - Kod] - Bünyamin Demir
* [http://www.webguvenligi.org/docs/ankara/bedirhan_js.ppt Web 2.0 Savunma Dili: Javascript] - Bedirhan Urgun
* [http://www.flickr.com/photos/webguvenligi/sets/72157603311164597/ Photos] - Bedirhan & Bünyamin

== Next Event - 3rd Web Security Days İzmir - November 26 (Turkey 2007) ==

This event will be the third of "Web Security Days" and will take place on 26th of November 2007 in İzmir. The agenda of the event is [https://www.owasp.org/index.php/3rd_Web_Security_Days_OWASP_Turkey here].

== Next Event - 2nd Web Security Days Ankara - November 24 (Turkey 2007) ==

This event will be the second of "Web Security Days" and will take place on 24th of November 2007 in Ankara.
The agenda of the event is [https://www.owasp.org/index.php/2nd_Web_Security_Days_OWASP_Turkey here].

== Artifacts - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) ==

Presentations:

* [https://www.owasp.org/images/6/66/OWASP_DAY_TR.sub.ppt Turkish Subtitle] for [http://www.owasp.org/downloads/OWASP_Day.wmv Jeff's OWASP Day Intro movie] (delete .ppt extension)
* [https://www.owasp.org/images/b/bc/OWASP2007_KamudaPrivacy.ppt OWASP2007_KamudaPrivacy.ppt‎]
* [https://www.owasp.org/images/4/4b/Guvenli_Web_Uygulamalarinin_Gelistirilmesi2.ppt Guvenli_Web_Uygulamalarinin_Gelistirilmesi.ppt]

Discussion Answers:

Q1.
What is the current state of Privacy on Web Application Security? Does it really matter? Is privacy what will drive radical changes in web application's security (ala PCI)?

A1.
During the meeting an effort was made to clarify the meaning of privacy;
- what are the key items that builds up to "privacy"?
- are we talking about the privacy of real people or should we also include the privacy of legal entities?
- is there really a solid line (or even a vague line) between confidentiality and privacy?
We defined privacy as confidentiality of the data; be it of a real person or a legal entity.
But the key part is that privacy is "the ability to control the flow of one's own data". And which brings another principle: "need to know". Privacy is directly related to an individual or an organization. Confidentiality, however, is directly related to "information"... Privacy is a "result" and confidentiality is a tenet or a security mechanism.

Enough of these convulsions;
The answer to the first question was a definite "YES". Participants were all agreed that "privacy" plays and will play the most important role in web security and its future.

Q2.
Application side: what the data owner should be doing to protect the user's privacy? Should there be a law that states how to protect this information? What can we do to improve it?

A2.
Most of the participants agreed that a law is a necessity.
But, maybe, more important thing is to raise the awareness of the customers.
Here we also had a discussion on the current status of the law on privacy? There are mainly three
documents on privacy in Turkish law;
* a directive on privacy in telecommunication, which happened to be inadequate (an assertion of a lawyer)
* a draft law on privacy from Department of Justice, which is still in the process of approval
* a recent (May 2007) law on siber crimes which happens to be similiar to the "Directive 2006/24/EC of the
European Parliament and of the Council" on the data retention. This law, however, still needs a few
directives, which are about to be published.

Q3.
Client side: what is the client's perception of privacy? How can a user trust a site about his own data treatment? Is the client nowadays safeguarded about a possible loss of privacy?

A3.
As a first step there should be an "agreement" presented to the user by the application side.
This wouldn't be enough so there should be regular inspections (a third eye) on these services.
About "is the client nowadays safeguarded about a possible loss of privacy?" question, the answer
was a definite "NO". Especially with the banks. Yes, there are a few cases of trials where the courts
dictated a bank to compansate the loss of the victim, however, mostly this is not the case. Even there is
a domain serving, founded by the victims of online banking crimes in Turkey.

Q4.
What should OWASP be focusing on?

A4.
As a suggestion, OWASP may provide a "web security tips" page, which can include a searchable gui
on small programming tips to avoid security holes in web applications.

And a great idea of producing a "FixmeBank" application to cover the developer side of the story, as opposed to tester/attacker side (via WebGoat or HacmeBank), was suggested by Taygun Alban.

Q5.
What would OWASP spend it's grant money? (note that new OWASP members can allocate some or all of their membership fees to specific projects)

A5.
Some suggestions;
. Printed booklets of Guide and Testing Guide.
. OWASP CD with shiny labels
. I'm afraid to say but... t-shirts

Q6.
Should OWASP organize such 'OWASP Weeks' every quarter?

A6.
OWASP should organize these events every 6 months or so :)

== Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) ==

As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event ([http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days]) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:

* 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin DEMİR

* 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ
Chief Researcher CC Lab-UEKAE TUBITAK

* 15:00 - 15:50 Secure Web Application Development

Korhan GÜRLER
Chief Researcher PRO-G

* 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

== Last Event - 1st Web Security Days - July 14 (Turkey 2007) ==

First of the [http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days] has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

[http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey For details...]

== Last Meetings ==

'''Sunday 6 May 2007''' 
'''Time:''' 11:15-12:30 

'''Address''' to the meeting are:

[http://www.metu.edu.tr Middle East Technical University] 
Ankara-Turkey 
 

'''Presentation''' 

Web Application Security with ModSecurity and OWASP

__NOTOC__

<headertabs/>