https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=John.wilanderOWASP - User contributions [en]2026-04-23T17:09:14ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Sweden&diff=174529Sweden2014-05-08T09:26:40Z<p>John.wilander: </p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:Mattias.Bergling@owasp.org Mattias Bergling] and [mailto:Robert.Malmgren@owasp.org Robert Malmgren].<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, November 20, 2012: OWASP Top 10 for JavaScript + RESTful Security'''<br />
<br />
Welcome to an OWASP Sweden seminar November 20, with Erlend Oftedal. Book your seat at [https://oftedal.eventbrite.com/ Eventbrite].<br />
<br />
'''OWASP Sweden Meeting, Stockholm, May 14, 2012: Secure Mashups, IT Sec in Cars, Buffer Overflow Prevention, "How We Won the Deutche Post Security Cup", and Multi-Step, Semi-Blind CSRF'''<br />
<br />
Welcome to an OWASP Sweden seminar May 14, with Jonas Magazinius, Mattias Jidhage, and John Wilander. Book your seat at [https://14maj2012.eventbrite.com/ Eventbrite].<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]] [[Category:Europe]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=174528Sweden2014-05-08T09:26:23Z<p>John.wilander: </p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:Mattias.Bergling@owasp.org Mattias Bergling] and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, November 20, 2012: OWASP Top 10 for JavaScript + RESTful Security'''<br />
<br />
Welcome to an OWASP Sweden seminar November 20, with Erlend Oftedal. Book your seat at [https://oftedal.eventbrite.com/ Eventbrite].<br />
<br />
'''OWASP Sweden Meeting, Stockholm, May 14, 2012: Secure Mashups, IT Sec in Cars, Buffer Overflow Prevention, "How We Won the Deutche Post Security Cup", and Multi-Step, Semi-Blind CSRF'''<br />
<br />
Welcome to an OWASP Sweden seminar May 14, with Jonas Magazinius, Mattias Jidhage, and John Wilander. Book your seat at [https://14maj2012.eventbrite.com/ Eventbrite].<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]] [[Category:Europe]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=174527Sweden2014-05-08T09:26:05Z<p>John.wilander: Remover myself as chapter co-leader. I stepped down May 2013.</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, November 20, 2012: OWASP Top 10 for JavaScript + RESTful Security'''<br />
<br />
Welcome to an OWASP Sweden seminar November 20, with Erlend Oftedal. Book your seat at [https://oftedal.eventbrite.com/ Eventbrite].<br />
<br />
'''OWASP Sweden Meeting, Stockholm, May 14, 2012: Secure Mashups, IT Sec in Cars, Buffer Overflow Prevention, "How We Won the Deutche Post Security Cup", and Multi-Step, Semi-Blind CSRF'''<br />
<br />
Welcome to an OWASP Sweden seminar May 14, with Jonas Magazinius, Mattias Jidhage, and John Wilander. Book your seat at [https://14maj2012.eventbrite.com/ Eventbrite].<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]] [[Category:Europe]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=User:John.wilander&diff=165378User:John.wilander2014-01-05T14:48:41Z<p>John.wilander: </p>
<hr />
<div>[[Image:John_Wilander_090626-346_(for_web).jpg|John Wilander]]<br />
<br />
John Wilander is an application security researcher with passion for building software and proactive measures. He is a Product Security Researcher at an American corporation in California. JavaScript and Java are his languages of choice, with Objective-C as runner-up.<br />
<br />
After his Master's degree in Computer Science and Engineering from Linköping University (Sweden) and Nanyang Technological University (Singapore) he pursued a PhD in application security and defended his thesis in April 2013. John's research publications can be found [http://johnwilander.se/#Research here].<br />
<br />
John started the Swedish OWASP Chapter in 2007. In 2010 he chaired the first OWASP AppSec Research conference – [http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010] – and managed to bring together appsec experts from industry and academia. Less than a year later he hosted the [https://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track Browser Security Sessions] at the Global OWASP Summit in Portugal. He also co-founded the [https://www.owasp.org/index.php/Builders OWASP Builders] initiative and served on the Global Conferences Committee for two years. His most recent contribution is the [http://1-liner.org/ OWASP 1-Liner project] which made him one of the few who has lead a chapter, lead a project, and hosted a global AppSec conference.<br />
<br />
For more detailed information, please see his public [http://www.linkedin.com/in/johnwilander LinkedIn page].<br />
<br />
* To see John's wiki contributions, [[:Special:Contributions/John.wilander|click here]]<br />
* His [mailto:john.wilander@owasp.org email address]<br />
* [https://twitter.com/johnwilander @johnwilander]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=User:John.wilander&diff=157439User:John.wilander2013-08-27T19:56:52Z<p>John.wilander: Updated most of the info</p>
<hr />
<div>[[Image:John_Wilander_090626-346_(for_web).jpg|John Wilander]]<br />
<br />
John Wilander is an application security researcher with passion for building software and proactive measures. He is a Product Security Researcher at Apple. JavaScript and Java are his languages of choice, with Objective-C as runner-up.<br />
<br />
After his Master's degree in Computer Science and Engineering from Linköping University (Sweden) and Nanyang Technological University (Singapore) he pursued a PhD in application security and defended his thesis in April 2013. John's research publications can be found [http://johnwilander.se/#Research here].<br />
<br />
John started the Swedish OWASP Chapter in 2007. In 2010 he chaired the first OWASP AppSec Research conference – [http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010] – and managed to bring together appsec experts from industry and academia. Less than a year later he hosted the [https://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track Browser Security Sessions] at the Global OWASP Summit in Portugal. He also co-founded the [https://www.owasp.org/index.php/Builders OWASP Builders] initiative and served on the Global Conferences Committee for two years. His most recent contribution is the [http://1-liner.org/ OWASP 1-Liner project] which made him one of the few who has lead a chapter, lead a project, and hosted a global AppSec conference.<br />
<br />
For more detailed information, please see his public [http://www.linkedin.com/in/johnwilander LinkedIn page].<br />
<br />
* To see John's wiki contributions, [[:Special:Contributions/John.wilander|click here]]<br />
* His [mailto:john.wilander@owasp.org email address]<br />
* [https://twitter.com/johnwilander @johnwilander]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=138126Sweden2012-10-24T20:03:40Z<p>John.wilander: Added Nov 20 event</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, November 20, 2012: OWASP Top 10 for JavaScript + RESTful Security'''<br />
<br />
Welcome to an OWASP Sweden seminar November 20, with Erlend Oftedal. Book your seat at [https://oftedal.eventbrite.com/ Eventbrite].<br />
<br />
'''OWASP Sweden Meeting, Stockholm, May 14, 2012: Secure Mashups, IT Sec in Cars, Buffer Overflow Prevention, "How We Won the Deutche Post Security Cup", and Multi-Step, Semi-Blind CSRF'''<br />
<br />
Welcome to an OWASP Sweden seminar May 14, with Jonas Magazinius, Mattias Jidhage, and John Wilander. Book your seat at [https://14maj2012.eventbrite.com/ Eventbrite].<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=OWASP_1-Liner&diff=132919OWASP 1-Liner2012-07-12T07:41:46Z<p>John.wilander: Added link to GitHub and did some description updates.</p>
<hr />
<div>{{Template:Project About<br />
| project_name = OWASP 1-Liner<br />
| project_home_page = [https://github.com/johnwilander/owasp-1-liner GitHub]<br />
| project_description =OWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application intended for demos (talks, tutorials, proof-of-concepts) and possibly training in application security. The application has two parts – local.1-liner.org/vulnerable and local.1-liner.org/securish – to allow for demos of both attacks and countermeasures.<br />
| project_license = Creative Commons Attribution ShareAlike 3.0<br />
| leader_name1 = John Wilander<br />
| leader_email[1-10] = john.wilander@owasp.org<br />
| leader_username1 = john.wilander<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
| pamphlet_link = <br />
| presentation_link =<br />
| mailing_list_name = owasp_1_liner@lists.owasp.org <br />
| project_road_map = The application has been used for two years before public release. Officially released at OWASP AppSec Research 2012. The roadmap is to continue adding demos just like before. Hopefully the community will like it and start adding demos too.<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
| release_1 = [https://github.com/johnwilander/owasp-1-liner]<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
}}<br />
<br />
[[Category:OWASP Project]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=128527Sweden2012-04-24T08:53:03Z<p>John.wilander: /* Local News */ Added May 14 event</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, May 14, 2012: Secure Mashups, IT Sec in Cars, Buffer Overflow Prevention, "How We Won the Deutche Post Security Cup", and Multi-Step, Semi-Blind CSRF'''<br />
<br />
Welcome to an OWASP Sweden seminar May 14, with Jonas Magazinius, Mattias Jidhage, and John Wilander. Book your seat at [https://14maj2012.eventbrite.com/ Eventbrite].<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=126836Sweden2012-03-25T02:19:48Z<p>John.wilander: Added link to Jim's slides</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''Slides from the OWASP Sweden Meeting, Stockholm, March 20, 2012'''<br />
<br />
[https://www.owasp.org/images/6/60/Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip Here are the slides (.ppt.zip)] from Jim Manico's presentation on "Web Application Access Control Design Excellence".<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip&diff=126835File:Manico Developer Top Ten Core Controls v4.1.ppt.zip2012-03-25T02:15:46Z<p>John.wilander: Jim Manico's presentation slides from his Nordic tour, March 2012.</p>
<hr />
<div>Jim Manico's presentation slides from his Nordic tour, March 2012.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=User:John.wilander&diff=125883User:John.wilander2012-03-10T14:47:24Z<p>John.wilander: Updated with new employer, recent OWASP activities, and a general brush-up of the text.</p>
<hr />
<div>[[Image:John_Wilander_090626-346_(for_web).jpg|John Wilander]]<br />
<br />
John Wilander is an application security researcher and consultant. He is a frontend developer at Handelsbanken in Sweden. John typically describes himself as a security focused software developer. JavaScript and Java are his languages of choice.<br />
<br />
After his Master's degree in Computer Science and Engineering from Linköping University (Sweden) and Nanyang Technological University (Singapore) he pursued a PhD in application security. Last paper is published so now it's time for dissertation and defense. John's research publications can be found [http://johnwilander.se/#Research here].<br />
<br />
John started the Swedish OWASP Chapter in 2007 and has since been leader and co-leader. In 2010 he chaired the most successful OWASP AppSec EU conference so far – [http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010]. John is listed along with the Swedish chapter as contributors to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 2010]. In 2011 he hosted the [https://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track Browser Security Sessions] at the Global OWASP Summit in Portugal. He also co-founded the [https://www.owasp.org/index.php/Builders OWASP Builders] initiative.<br />
<br />
For more detailed information, please see his public [http://www.linkedin.com/in/johnwilander LinkedIn page].<br />
<br />
* To see John's wiki contributions, [[:Special:Contributions/John.wilander|click here]]<br />
* His [mailto:john.wilander@owasp.org email address]<br />
* [https://twitter.com/johnwilander @johnwilander]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Builders&diff=125879Builders2012-03-10T12:09:49Z<p>John.wilander: Added John Wilander, initiator of the OWASP Builders</p>
<hr />
<div>==== OWASP Builders ====<br />
<br />
{| width="100%"<br />
|- valign="top"<br />
| <br />
'''Builders Community''' <br />
<br />
A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of application development.<br />
<br />
<br> '''What Are OWASP Communities?'''<br />
<br />
Builders, [http://www.owasp.org/index.php/Breakers Breakers] and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].<br />
<br />
| <br />
[[Image:OWASP-vision.jpg]] <br />
<br />
|}<br />
<br />
<br> <br />
<br />
==== The Community ====<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br> <br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br> <br />
<br />
{| cellspacing="1" cellpadding="1" style="width: 404px; height: 413px;"<br />
|-<br />
| [[Image:John_Wilander_090626-346_(for_web).jpg|100px]]<br> <br />
| '''John Wilander''' <br> [https://www.owasp.org/index.php/Global_Conferences_Committee/ Member of the Global Conferences Committee]<br> [https://www.owasp.org/index.php/Sweden OWASP Sweden Chapter Co-Leader] <br> john.wilander@owasp.org <br> http://appsandsecurity.blogspot.com/ <br> [https://twitter.com/johnwilander @johnwilander]<br />
| <br />
|<br />
|-<br />
| [[Image:SimonBennetts-OWASP.jpg]]<br> <br />
| '''Simon Bennetts''' <br> [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] Lead <br> psiinon@owasp.org <br> http://pentest4devs.blogspot.com/ <br> @psiinon<br />
| <br />
|<br />
|-<br />
| Your pic; <br><br />
| '''Your name'''<br> ''Your company/project'' <br> ''Your email'' <br> ''Your website'' <br> ''Your twitter''<br />
|<br />
|<br />
|-<br />
| Your pic; <br><br />
| '''Your name'''<br> ''Your company/project'' <br> ''Your email'' <br> ''Your website'' <br> ''Your twitter''<br />
|<br />
|}<br />
<br />
<br />
<br />
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]<br />
<br><br />
<br />
==== Developer Outreach ====<br />
<br />
Get involved in the Developer Outreach by subscribing to the ...<br />
* [https://lists.owasp.org/mailman/listinfo/developer-outreach Steering List (low traffic)]<br />
* [https://groups.google.com/group/owasp-dev-outreach-discuss Google Group (for discussions)]<br />
<br />
The first priority of the Builders Community is to reach out to developers and ask what application security is lacking today. An initial lightweight outreach was performed early March 2011.<br />
<br />
=== Developers' Security Itches March 2011 ===<br />
The overall results of the initial outreach can be seen in the diagram below (categorization by John Wilander, full-text available via links below). This is a first glimpse at what developers think are the problems and challenges for application security.<br />
<br />
[[Image:Developer_outreach_iteration_1.png]]<br />
<br />
Full data searchable via the online database [https://www.grubba.net https://www.grubba.net] (account 'owasp'/'owasp') or available in a .csv file [http://www.owasp.org/images/e/e0/OWASP_Developer_Outreach_Iteration_1.csv.zip here].<br />
<br />
=== "Lack of Security in Frameworks" ===<br />
Here's what the developers said in the number one category "Lack of Security in Frameworks":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* ''NMP (not my problem), aka should be handled by the used frameworks'' (spring, struts, etc). [Java and C# developer, 5 years of experience]<br />
* ''The idea that you can tackle all security problems with spring security.'' [Java and C# developer, 5 years of experience]<br />
* ''I want more/most/all implementation-level security issues taken care of at the language and framework level. There are far too many security problems that are left to developers to understand and take care of.'' [Java and JavaScript developer, 15 years experience]<br />
* ''Libraries and frameworks have insecure defaults (example: JSP's c:out). Webapp frameworks doesnt keep up with the security landscape, and there are no quick fixes to add security to these. No central place for developers for different languages and frameworks, making it hard to find the good solutions (making people solve the same problems over and over, with different success rate).'' [Java and JavaScript developer, 6 years of experience]<br />
* ''Things I don't have control over. 3rd party DB drivers, image libraries, all kind of framework.'' [C# and Java developer, 10 years of experience]<br />
* ''Frameworks missing mechanisms for solving common security problems (CSRF, http-only etc.)'' [Java and Ruby developer, 3 years experience]<br />
* ''Lack of security support in frameworks.'' [Java developer, 15 years of experience]<br />
* ''Picking secure components.'' [Java and Scala developer, 8 years of experience]<br />
* ''Missing a lot of functionality in frameworks for handling common security issues.'' [Java and JavaScript developer, 10 years of experience]<br />
* ''Secure by default, i e default settings in frameworks would be nice.'' [Java and JavaScript developer, 10 years of experience]<br />
<br />
=== "Security Info Hard to Find" ===<br />
Here's what the developers said in the runner up category "Security Info Hard to Find":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* ''Security is very seldom covered in the channels developers listen to, e.g. developer conferences.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Which tools are good enough? Which frameworks are good enough? Can I trust Google when searching for security solutions? How else to ask?'' [Java developer, 12 years experience]<br />
* ''There are resources for that?'' [C# developer, 10 years experience]<br />
* ''The security info channels you listen to are too noisy. Hard to know what's a real problem.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Would like to see a matrix with various frameworks on one axis and security issues such as OWASP Top 10 on the other. Cells contain links to solutions.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Would like a comparison of what is supported and not in the different web frameworks with regard to security (escaping & encoding, sql-injection, etc).'' [C# and Ruby developer, 3 years experience]<br />
* ''Can't find resources.'' [PHP developer, 15 years experience]<br />
* ''Information is hard to find.'' [C# developer, 4 years experience]<br />
<br />
==== Official Builder Projects ====<br />
<br />
To be determined <br />
<br />
==== All Builder Related Projects ====<br />
All projects that are related to the OWASP Builders community can be found at the following link: [[:Category:OWASP Builders]]<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=125878Sweden2012-03-10T12:05:50Z<p>John.wilander: Added Jim Manico's talk March 2012</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Stockholm, March 20, 2012: "Web Application Access Control Design Excellence"'''<br />
<br />
Welcome to an OWASP Sweden seminar March 20, with Jim Manico. Book your seat at [https://owaspsweden200312.eventbrite.com/ Eventbrite].<br />
<br />
This event will be in English.<br />
<br />
Sponsors for this event are:<br />
* F5 who is sponsoring for Jim's travel and hotel<br />
* .SE sponsoring with the venue<br />
* Cybercom who will supply you with beverage and snacks during the evening<br />
<br />
The Speaker<br />
Jim Manico is a profile in the OWASP community working with the OWASP podcasts and ESAPI amongst other things. During march he is doing a nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Stockholm on March 20.<br />
Read more on the OWASP webpage https://www.owasp.org/index.php/User:Jmanico<br />
<br />
Abstract for Jim´s talk:<br />
<br />
'''Web Application Access Control Design Excellence'''<br />
<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=125877Sweden2012-03-10T12:00:16Z<p>John.wilander: Added SSL Day 2011</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden SSL Day, Stockholm, November 23 2011'''<br />
OWASP Sweden, Stockholm branch is happy to announce a full-day on the topic of SSL in cooperation with Internetdagarna<br />
http://www.internetdagarna.se/ind11/program/seminarium/92<br />
<br />
The speakers are<br />
* Jakob Schlyter, Kirei<br />
* John Wilander, OWASP Sweden and Handelsbanken<br />
* Andreas Jonson, Romab<br />
* Henrich Pöhls, University of Passau<br />
* Robert Malmgren, OWASP Sweden and Romab<br />
<br />
'''OWASP Sweden Meeting March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.<br />
[[Category:Sweden]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:John_Wilander_090626-346_(for_web).jpg&diff=125876File:John Wilander 090626-346 (for web).jpg2012-03-10T11:45:55Z<p>John.wilander: uploaded a new version of &quot;File:John Wilander 090626-346 (for web).jpg&quot;: File was gone. Uploaded it again.</p>
<hr />
<div>Profile picture for John Wilander</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Builders&diff=107750Builders2011-03-27T23:15:59Z<p>John.wilander: Added category "Security Info Hard to Find", changed from bold to italics on quotes.</p>
<hr />
<div>==== OWASP Builders ====<br />
<br />
{| width="100%"<br />
|- valign="top"<br />
| <br />
'''Builders Community''' <br />
<br />
A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of application development.<br />
<br />
<br> '''What Are OWASP Communities?'''<br />
<br />
Builders, Breakers and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].<br />
<br />
| <br />
[[Image:OWASP-vision.jpg]] <br />
<br />
|}<br />
<br />
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]<br />
<br> <br />
<br />
<br />
==== Developer Outreach ====<br />
<br />
Get involved in the Developer Outreach by subscribing to the ...<br />
* [https://lists.owasp.org/mailman/listinfo/developer-outreach Steering List (low traffic)]<br />
* [https://groups.google.com/group/owasp-dev-outreach-discuss Google Group (for discussions)]<br />
<br />
The first priority of the Builders Community is to reach out to developers and ask what application security is lacking today. An initial lightweight outreach was performed early March 2011.<br />
<br />
=== Developers' Security Itches March 2011 ===<br />
The overall results of the initial outreach can be seen in the diagram below (categorization by John Wilander, full-text available via links below). This is a first glimpse at what developers think are the problems and challenges for application security.<br />
<br />
[[Image:Developer_outreach_iteration_1.png]]<br />
<br />
Full data searchable via the online database [https://www.grubba.net https://www.grubba.net] (account 'owasp'/'owasp') or available in a .csv file [http://www.owasp.org/images/e/e0/OWASP_Developer_Outreach_Iteration_1.csv.zip here].<br />
<br />
=== "Lack of Security in Frameworks" ===<br />
Here's what the developers said in the number one category "Lack of Security in Frameworks":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* ''NMP (not my problem), aka should be handled by the used frameworks'' (spring, struts, etc). [Java and C# developer, 5 years of experience]<br />
* ''The idea that you can tackle all security problems with spring security.'' [Java and C# developer, 5 years of experience]<br />
* ''I want more/most/all implementation-level security issues taken care of at the language and framework level. There are far too many security problems that are left to developers to understand and take care of.'' [Java and JavaScript developer, 15 years experience]<br />
* ''Libraries and frameworks have insecure defaults (example: JSP's c:out). Webapp frameworks doesnt keep up with the security landscape, and there are no quick fixes to add security to these. No central place for developers for different languages and frameworks, making it hard to find the good solutions (making people solve the same problems over and over, with different success rate).'' [Java and JavaScript developer, 6 years of experience]<br />
* ''Things I don't have control over. 3rd party DB drivers, image libraries, all kind of framework.'' [C# and Java developer, 10 years of experience]<br />
* ''Frameworks missing mechanisms for solving common security problems (CSRF, http-only etc.)'' [Java and Ruby developer, 3 years experience]<br />
* ''Lack of security support in frameworks.'' [Java developer, 15 years of experience]<br />
* ''Picking secure components.'' [Java and Scala developer, 8 years of experience]<br />
* ''Missing a lot of functionality in frameworks for handling common security issues.'' [Java and JavaScript developer, 10 years of experience]<br />
* ''Secure by default, i e default settings in frameworks would be nice.'' [Java and JavaScript developer, 10 years of experience]<br />
<br />
=== "Security Info Hard to Find" ===<br />
Here's what the developers said in the runner up category "Security Info Hard to Find":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* ''Security is very seldom covered in the channels developers listen to, e.g. developer conferences.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Which tools are good enough? Which frameworks are good enough? Can I trust Google when searching for security solutions? How else to ask?'' [Java developer, 12 years experience]<br />
* ''There are resources for that?'' [C# developer, 10 years experience]<br />
* ''The security info channels you listen to are too noisy. Hard to know what's a real problem.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Would like to see a matrix with various frameworks on one axis and security issues such as OWASP Top 10 on the other. Cells contain links to solutions.'' [Java and JavaScript developer, 10 years experience]<br />
* ''Would like a comparison of what is supported and not in the different web frameworks with regard to security (escaping & encoding, sql-injection, etc).'' [C# and Ruby developer, 3 years experience]<br />
* ''Can't find resources.'' [PHP developer, 15 years experience]<br />
* ''Information is hard to find.'' [C# developer, 4 years experience]<br />
<br />
<br />
__NOTOC__ <headertabs /> <br></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Builders&diff=107749Builders2011-03-27T22:43:11Z<p>John.wilander: Added link to Defenders page</p>
<hr />
<div>==== OWASP Builders ====<br />
<br />
{| width="100%"<br />
|- valign="top"<br />
| <br />
'''Builders Community''' <br />
<br />
A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of application development.<br />
<br />
<br> '''What Are OWASP Communities?'''<br />
<br />
Builders, Breakers and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].<br />
<br />
| <br />
[[Image:OWASP-vision.jpg]] <br />
<br />
|}<br />
<br />
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]<br />
<br> <br />
<br />
<br />
==== Developer Outreach ====<br />
<br />
Get involved in the Developer Outreach by subscribing to the ...<br />
* [https://lists.owasp.org/mailman/listinfo/developer-outreach Steering List (low traffic)]<br />
* [https://groups.google.com/group/owasp-dev-outreach-discuss Google Group (for discussions)]<br />
<br />
The first priority of the Builders Community is to reach out to developers and ask what application security is lacking today. An initial lightweight outreach was performed early March 2011.<br />
<br />
=== Developers' Security Itches March 2011 ===<br />
The overall results of the initial outreach can be seen in the diagram below (categorization by John Wilander, full-text available via links below). This is a first glimpse at what developers think are the problems and challenges for application security.<br />
<br />
[[Image:Developer_outreach_iteration_1.png]]<br />
<br />
Full data searchable via the online database [https://www.grubba.net https://www.grubba.net] (account 'owasp'/'owasp') or available in a .csv file [http://www.owasp.org/images/e/e0/OWASP_Developer_Outreach_Iteration_1.csv.zip here].<br />
<br />
=== "Lack of Security in Frameworks" ===<br />
Here's what the developers said in the number one category "Lack of Security in Frameworks":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* '''NMP (not my problem), aka should be handled by the used frameworks (spring, struts, etc).''' [Java and C# developer, 5 years of experience]<br />
* '''The idea that you can tackle all security problems with spring security.''' [Java and C# developer, 5 years of experience]<br />
* '''I want more/most/all implementation-level security issues taken care of at the language and framework level. There are far too many security problems that are left to developers to understand and take care of.''' [Java and JavaScript developer, 15 years experience]<br />
* '''Libraries and frameworks has insecure defaults (example: JSP's c:out). Webapp frameworks doesnt keep up with the security landscape, and there are no quick fixes to add security to these. No central place for developers for different languages and frameworks, making it hard to find the good solutions (making people solve the same problems over and over, with different success rate).''' [Java and JavaScript developer, 6 years of experience]<br />
* '''Things I don't have control over. 3rd party DB drivers, image libraries, all kind of framework.''' [C# and Java developer, 10 years of experience]<br />
* '''Frameworks missing mechanisms for solving common security problems (CSRF, http-only etc.)''' [Java+Ruby developer, 3 years experience]<br />
* '''Lack of security support in frameworks.''' [Java developer, 15 years of experience]<br />
* '''Picking secure components.''' [Java and Scala developer, 8 years of experience]<br />
* '''Missing a lot of functionality in frameworks for handling common security issues.''' [Java and JavaScript developer, 10 years of experience]<br />
* '''Secure by default, i e default settings in frameworks would be nice.''' [Java and JavaScript developer, 10 years of experience]<br />
<br />
__NOTOC__ <headertabs /> <br></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Builders&diff=107748Builders2011-03-27T22:27:21Z<p>John.wilander: Initial commit including results and links from Developer Outreach, iteration 1</p>
<hr />
<div>==== OWASP Builders ====<br />
<br />
{| width="100%"<br />
|- valign="top"<br />
| <br />
'''Builders Community''' <br />
<br />
A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of application development.<br />
<br />
<br> '''What Are OWASP Communities?'''<br />
<br />
Builders, Breakers and [Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].<br />
<br />
| <br />
[[Image:OWASP-vision.jpg]] <br />
<br />
|}<br />
<br />
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]<br />
<br> <br />
<br />
<br />
==== Developer Outreach ====<br />
<br />
Get involved in the Developer Outreach by subscribing to the ...<br />
* [https://lists.owasp.org/mailman/listinfo/developer-outreach Steering List (low traffic)]<br />
* [https://groups.google.com/group/owasp-dev-outreach-discuss Google Group (for discussions)]<br />
<br />
The first priority of the Builders Community is to reach out to developers and ask what application security is lacking today. An initial lightweight outreach was performed early March 2011.<br />
<br />
=== Developers' Security Itches March 2011 ===<br />
The overall results of the initial outreach can be seen in the diagram below (categorization by John Wilander, full-text available via links below). This is a first glimpse at what developers think are the problems and challenges for application security.<br />
<br />
[[Image:Developer_outreach_iteration_1.png]]<br />
<br />
Full data searchable via the online database [https://www.grubba.net https://www.grubba.net] (account 'owasp'/'owasp') or available in a .csv file [http://www.owasp.org/images/e/e0/OWASP_Developer_Outreach_Iteration_1.csv.zip here].<br />
<br />
=== "Lack of Security in Frameworks" ===<br />
Here's what the developers said in the number one category "Lack of Security in Frameworks":<br />
<br />
Question: '''What are your security itches?'''<br />
<br />
* '''NMP (not my problem), aka should be handled by the used frameworks (spring, struts, etc).''' [Java and C# developer, 5 years of experience]<br />
* '''The idea that you can tackle all security problems with spring security.''' [Java and C# developer, 5 years of experience]<br />
* '''I want more/most/all implementation-level security issues taken care of at the language and framework level. There are far too many security problems that are left to developers to understand and take care of.''' [Java and JavaScript developer, 15 years experience]<br />
* '''Libraries and frameworks has insecure defaults (example: JSP's c:out). Webapp frameworks doesnt keep up with the security landscape, and there are no quick fixes to add security to these. No central place for developers for different languages and frameworks, making it hard to find the good solutions (making people solve the same problems over and over, with different success rate).''' [Java and JavaScript developer, 6 years of experience]<br />
* '''Things I don't have control over. 3rd party DB drivers, image libraries, all kind of framework.''' [C# and Java developer, 10 years of experience]<br />
* '''Frameworks missing mechanisms for solving common security problems (CSRF, http-only etc.)''' [Java+Ruby developer, 3 years experience]<br />
* '''Lack of security support in frameworks.''' [Java developer, 15 years of experience]<br />
* '''Picking secure components.''' [Java and Scala developer, 8 years of experience]<br />
* '''Missing a lot of functionality in frameworks for handling common security issues.''' [Java and JavaScript developer, 10 years of experience]<br />
* '''Secure by default, i e default settings in frameworks would be nice.''' [Java and JavaScript developer, 10 years of experience]<br />
<br />
__NOTOC__ <headertabs /> <br></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASP_Developer_Outreach_Iteration_1.csv.zip&diff=107747File:OWASP Developer Outreach Iteration 1.csv.zip2011-03-27T21:57:25Z<p>John.wilander: Comma separated data from Developer Outreach, iteration 1.</p>
<hr />
<div>Comma separated data from Developer Outreach, iteration 1.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:Developer_outreach_iteration_1.png&diff=107746File:Developer outreach iteration 1.png2011-03-27T21:54:25Z<p>John.wilander: uploaded a new version of &quot;File:Developer outreach iteration 1.png&quot;: Smaller size.</p>
<hr />
<div>Diagram over categorized developer replies to the initial developer outreach.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:Developer_outreach_iteration_1.png&diff=107745File:Developer outreach iteration 1.png2011-03-27T21:53:00Z<p>John.wilander: Diagram over categorized developer replies to the initial developer outreach.</p>
<hr />
<div>Diagram over categorized developer replies to the initial developer outreach.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=106657Sweden2011-03-11T13:31:06Z<p>John.wilander: Added links to Mario's two slidesets</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<paypal>Sweden</paypal><br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
Mario's slides:<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf]] "The Image That Called Me" on SVG security<br><br />
[[Media:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf]] "Locking the Throneroom" on locking the DOM to eradicate XSS<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf&diff=106656File:Mario Heiderich OWASP Sweden Locking the throneroom.pdf2011-03-11T13:26:11Z<p>John.wilander: Mario Heiderich's talk on locking the DOM to eradicate XSS at OWASP Sweden, March 7, 2011.</p>
<hr />
<div>Mario Heiderich's talk on locking the DOM to eradicate XSS at OWASP Sweden, March 7, 2011.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf&diff=106655File:Mario Heiderich OWASP Sweden The image that called me.pdf2011-03-11T13:24:44Z<p>John.wilander: Mario Heiderich's talk on SVG security at OWASP Sweden March 7, 2011.</p>
<hr />
<div>Mario Heiderich's talk on SVG security at OWASP Sweden March 7, 2011.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf&diff=105765File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf2011-02-24T21:49:18Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf&diff=105748File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf2011-02-24T18:31:05Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Category:Summit_2011_Browser_Security_Track&diff=105747Category:Summit 2011 Browser Security Track2011-02-24T18:29:32Z<p>John.wilander: Added Enduser Warnings notes</p>
<hr />
<div>[[Image:T._browser_security.jpg]]<br><br><br />
[[Image:Google-groups-logo-1.jpg|link=https://groups.google.com/group/owasp-summit-browsersec]][https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track]<br><br />
==== About ====<br />
The Browser Security track of the OWASP Summit 2011 was an initial community effort to bring together browser vendors, major web app providers, well-known white hat hackers, and OWASP leaders to discuss what can be done to enhance web security through the browser. The track comprised of two half-day day workshops on chosen subtopics (see tabs). We invited some of the world's top experts to maximize the chances of moving forward this important area or application security.<br />
<br />
===Session Notes===<br />
Here are the notes from all the four browser security sessions. Later on we will publish a Browser Security Report building on these sessions.<br />
<br />
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br><br />
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br><br />
[http://www.owasp.org/images/c/cd/OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf HTML5 Security notes (pdf)]<br><br />
[http://www.owasp.org/images/f/f7/OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf EcmaScript 5 Security notes (pdf)]<br><br />
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]<br />
<br />
===Who Participated?===<br />
The following browser, major web app, and plugin vendors participated in the browser security sessions:<br><br />
[http://www.google.com/chrome http://www.owasp.org/images/f/f6/Chrome_small.jpg]<br />
[http://www.mozilla.com/en-US/firefox/ http://www.owasp.org/images/4/47/Firefox_small.jpg]<br />
[http://ie.microsoft.com/testdrive/info/downloads/Default.html http://www.owasp.org/images/6/62/Internet_explorer_small.jpg]<br />
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]<br />
[http://www.adobe.com http://www.owasp.org/images/8/87/Adobe_logo_standard_for_Tasha.jpg]<br />
<br />
/John Wilander, Session Chair<br />
==== DOM Sandboxing ====<br />
===Virtualization and Sandboxing for Secure Multi-Domain Web Apps===<br />
<br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
Goals and issues that need browser vendor cooperation:<br />
* '''Attenuated versions of existing apis to sandboxed code'''. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.<br />
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?<br />
* '''Create a standard for modifying a sandboxed environment'''<br />
* '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
* '''Adopt a simpler rights amplification api''' like [http://web-send.org/introducer Web Introducer]<br />
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
===Working Form===<br />
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
<br />
==== HTML5 ====<br />
===HTML5 Security===<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Handle autofocus in a unified and secure way'''. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.<br />
* '''Discuss necessity and capability for the HTML5 form controls'''. Do we need a non-SOP formaction attribute and why? <br />
* '''Goal I''': Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help<br />
* '''Goal II''': Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.<br />
* '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade<br />
<br />
==== EcmaScript 5====<br />
=== EcmaScript 5 Security ===<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''. Implement it if not yet done.<br />
* '''Goal I''': Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.<br />
* '''Goal II''': Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.<br />
* '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. <br />
<br />
<br />
==== Site Security Policy ====<br />
There are several initiatives for expressing and enforcing website security policies. [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced TLS. [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting resource domains and enforcing file-only JavaScript. [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for enforce framing restrictions. Harmonizing these features among browsers is a huge task. Getting developers to adopt and implement is even more challenging. This session will try to address all of these questions as well as the technical alternatives – headers, meta tags, nonces, signatures, html zones, css-like policies, violation events etc.<br />
<br />
* Should we have independent, coherent and simple policy mechanisms or a generalized, extensible policy mechanism?<br />
* Should developers have multiple choices for expressing policies such as headers ''and'' meta tags?<br />
* Should policies restrict domains, URLs, or elements? What are the consequences?<br />
* Should one or two browser vendors deploy a policy mechanism in the field, collect experience, and then we set a standard?<br />
* How do we help developers understand the need for policies and how do we help them write/generate/maintain policies?<br />
* How important is performance and web 1.0/web 2.0 compliance? How much of the web can we afford to break? 0 %?<br />
<br />
===Co-chair Jeff Hodges===<br />
Jeff Hodges is Distinguished Security Engineer at PayPal, Inc and one of the three original authors of the [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] spec. Check out [http://identitymeme.org/ IdentityMeme.org Jeff's blog].<br />
<br />
===Co-chair David Ross===<br />
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, David spent his formative years on the Internet Explorer Security Team and wears the battle scars with pride. Check out [http://blogs.msdn.com/dross David’s blog].<br />
<br />
===Co-chair Lucas Adamski===<br />
Lucas Adamski is the Director of Security Engineering at Mozilla Corporation. He specializes in penetration testing, incident response, spec and code reviews, fuzzing, training, security processes and software PLC. Check out [http://blog.mozilla.com/ladamski/ Lucas' blog].<br />
<br />
==== Enduser Warnings ====<br />
===Enduser Warnings===<br />
[[Image:Three_browsers_user_info.jpg]]<br />
<br />
===Subjects and Goals (draft)===<br />
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.<br />
<br />
* How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but moved back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.<br />
* How should browsers communicate other kinds of information such as privacy, malware warnings, "not visited before" etc? Forbes had an interesting example of [http://blogs.forbes.com/kashmirhill/2011/01/05/visualizing-better-privacy-policies/?boxes=Homepagechannels how to visualize privacy].<br />
<br />
Some additional information, thoughts and discussions on these subjects elsewhere:<br />
<br />
* [http://www.freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent], Freedom to Tinker, 18 Jan 2011<br />
* [http://intrepidusgroup.com/insight/2010/04/security-dialogs-and-graphics/ Security Dialogs and Graphics], Insight, 27 Apr 2010<br />
* [http://www.w3.org/TR/wsc-ui/ Web Security Context: User Interface Guidelines], W3C, 12 Aug 2010<br />
* [http://www.clerkendweller.com/2009/7/28/Colour-Overload-with-IE8-Tab-Grouping Colour Overload with IE8 Tab Grouping], Clerkendweller, 28 Jul 2009<br />
* [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies], IEEE Symposium on Security and Privacy, May 2007<br />
<br />
<br />
==== Securing Plugins ====<br />
===Securing Plugins===<br />
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?<br />
<br />
<br />
==== Blacklisting ====<br />
===Blacklisting===<br />
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?<br />
<br />
<br />
==== OS Integration ====<br />
===OS Integration===<br />
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?<br />
<br />
==== Sandboxed Browser ====<br />
=== Sandboxed Tabs/Domains/Browser ===<br />
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.<br />
<br />
__NOTOC__ <br />
<headertabs /> <br />
<br />
Questions? Contact [mailto:john.wilander@owasp.org John Wilander, Session Chair]<br><br><br />
[[Summit_2011|'''Return Global Summit 2011 Home Page''']]<br><br />
[[:Category:Summit_2011_Tracks|'''Return to Global Summit 2011 Working Sessions''']]<br />
<br />
[[Category:Summit_2011]]<br />
[[Category: Summit 2011 Tracks]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf&diff=105746File:OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf2011-02-24T18:28:14Z<p>John.wilander: </p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf&diff=105745File:OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf2011-02-24T18:01:47Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf&diff=105744File:OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf2011-02-24T18:00:50Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf&diff=105743File:OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf2011-02-24T18:00:14Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf&diff=105742File:OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf2011-02-24T17:59:40Z<p>John.wilander: uploaded a new version of &quot;File:OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf&quot;</p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Category:Summit_2011_Browser_Security_Track&diff=105741Category:Summit 2011 Browser Security Track2011-02-24T17:53:57Z<p>John.wilander: Added raw notes from all four browser security sessions</p>
<hr />
<div>[[Image:T._browser_security.jpg]]<br><br><br />
[[Image:Google-groups-logo-1.jpg|link=https://groups.google.com/group/owasp-summit-browsersec]][https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track]<br><br />
==== About ====<br />
The Browser Security track of the OWASP Summit 2011 was an initial community effort to bring together browser vendors, major web app providers, well-known white hat hackers, and OWASP leaders to discuss what can be done to enhance web security through the browser. The track comprised of two half-day day workshops on chosen subtopics (see tabs). We invited some of the world's top experts to maximize the chances of moving forward this important area or application security.<br />
<br />
===Session Notes===<br />
Here are the notes from all the four browser security sessions. Later on we will publish a Browser Security Report building on these sessions.<br />
<br />
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br><br />
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br><br />
[http://www.owasp.org/images/c/cd/OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf HTML5 Security notes (pdf)]<br><br />
[http://www.owasp.org/images/f/f7/OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf EcmaScript 5 Security notes (pdf)]<br />
<br />
===Who Participated?===<br />
The following browser, major web app, and plugin vendors participated in the browser security sessions:<br><br />
[http://www.google.com/chrome http://www.owasp.org/images/f/f6/Chrome_small.jpg]<br />
[http://www.mozilla.com/en-US/firefox/ http://www.owasp.org/images/4/47/Firefox_small.jpg]<br />
[http://ie.microsoft.com/testdrive/info/downloads/Default.html http://www.owasp.org/images/6/62/Internet_explorer_small.jpg]<br />
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]<br />
[http://www.adobe.com http://www.owasp.org/images/8/87/Adobe_logo_standard_for_Tasha.jpg]<br />
<br />
/John Wilander, Session Chair<br />
==== DOM Sandboxing ====<br />
===Virtualization and Sandboxing for Secure Multi-Domain Web Apps===<br />
<br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
Goals and issues that need browser vendor cooperation:<br />
* '''Attenuated versions of existing apis to sandboxed code'''. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.<br />
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?<br />
* '''Create a standard for modifying a sandboxed environment'''<br />
* '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
* '''Adopt a simpler rights amplification api''' like [http://web-send.org/introducer Web Introducer]<br />
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
===Working Form===<br />
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
<br />
==== HTML5 ====<br />
===HTML5 Security===<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Handle autofocus in a unified and secure way'''. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.<br />
* '''Discuss necessity and capability for the HTML5 form controls'''. Do we need a non-SOP formaction attribute and why? <br />
* '''Goal I''': Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help<br />
* '''Goal II''': Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.<br />
* '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade<br />
<br />
==== EcmaScript 5====<br />
=== EcmaScript 5 Security ===<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''. Implement it if not yet done.<br />
* '''Goal I''': Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.<br />
* '''Goal II''': Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.<br />
* '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. <br />
<br />
<br />
==== Site Security Policy ====<br />
There are several initiatives for expressing and enforcing website security policies. [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced TLS. [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting resource domains and enforcing file-only JavaScript. [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for enforce framing restrictions. Harmonizing these features among browsers is a huge task. Getting developers to adopt and implement is even more challenging. This session will try to address all of these questions as well as the technical alternatives – headers, meta tags, nonces, signatures, html zones, css-like policies, violation events etc.<br />
<br />
* Should we have independent, coherent and simple policy mechanisms or a generalized, extensible policy mechanism?<br />
* Should developers have multiple choices for expressing policies such as headers ''and'' meta tags?<br />
* Should policies restrict domains, URLs, or elements? What are the consequences?<br />
* Should one or two browser vendors deploy a policy mechanism in the field, collect experience, and then we set a standard?<br />
* How do we help developers understand the need for policies and how do we help them write/generate/maintain policies?<br />
* How important is performance and web 1.0/web 2.0 compliance? How much of the web can we afford to break? 0 %?<br />
<br />
===Co-chair Jeff Hodges===<br />
Jeff Hodges is Distinguished Security Engineer at PayPal, Inc and one of the three original authors of the [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] spec. Check out [http://identitymeme.org/ IdentityMeme.org Jeff's blog].<br />
<br />
===Co-chair David Ross===<br />
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, David spent his formative years on the Internet Explorer Security Team and wears the battle scars with pride. Check out [http://blogs.msdn.com/dross David’s blog].<br />
<br />
===Co-chair Lucas Adamski===<br />
Lucas Adamski is the Director of Security Engineering at Mozilla Corporation. He specializes in penetration testing, incident response, spec and code reviews, fuzzing, training, security processes and software PLC. Check out [http://blog.mozilla.com/ladamski/ Lucas' blog].<br />
<br />
==== Enduser Warnings ====<br />
===Enduser Warnings===<br />
[[Image:Three_browsers_user_info.jpg]]<br />
<br />
===Subjects and Goals (draft)===<br />
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.<br />
<br />
* How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but moved back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.<br />
* How should browsers communicate other kinds of information such as privacy, malware warnings, "not visited before" etc? Forbes had an interesting example of [http://blogs.forbes.com/kashmirhill/2011/01/05/visualizing-better-privacy-policies/?boxes=Homepagechannels how to visualize privacy].<br />
<br />
Some additional information, thoughts and discussions on these subjects elsewhere:<br />
<br />
* [http://www.freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent], Freedom to Tinker, 18 Jan 2011<br />
* [http://intrepidusgroup.com/insight/2010/04/security-dialogs-and-graphics/ Security Dialogs and Graphics], Insight, 27 Apr 2010<br />
* [http://www.w3.org/TR/wsc-ui/ Web Security Context: User Interface Guidelines], W3C, 12 Aug 2010<br />
* [http://www.clerkendweller.com/2009/7/28/Colour-Overload-with-IE8-Tab-Grouping Colour Overload with IE8 Tab Grouping], Clerkendweller, 28 Jul 2009<br />
* [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies], IEEE Symposium on Security and Privacy, May 2007<br />
<br />
<br />
==== Securing Plugins ====<br />
===Securing Plugins===<br />
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?<br />
<br />
<br />
==== Blacklisting ====<br />
===Blacklisting===<br />
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?<br />
<br />
<br />
==== OS Integration ====<br />
===OS Integration===<br />
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?<br />
<br />
==== Sandboxed Browser ====<br />
=== Sandboxed Tabs/Domains/Browser ===<br />
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.<br />
<br />
__NOTOC__ <br />
<headertabs /> <br />
<br />
Questions? Contact [mailto:john.wilander@owasp.org John Wilander, Session Chair]<br><br><br />
[[Summit_2011|'''Return Global Summit 2011 Home Page''']]<br><br />
[[:Category:Summit_2011_Tracks|'''Return to Global Summit 2011 Working Sessions''']]<br />
<br />
[[Category:Summit_2011]]<br />
[[Category: Summit 2011 Tracks]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf&diff=105740File:OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf2011-02-24T17:14:02Z<p>John.wilander: </p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf&diff=105739File:OWASPSummit2011HTML5SecurityBrowserSecurityTrack.pdf2011-02-24T17:13:14Z<p>John.wilander: </p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf&diff=105738File:OWASPSummit2011EcmaScript5SecurityBrowserSecurityTrack.pdf2011-02-24T17:12:41Z<p>John.wilander: </p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf&diff=105737File:OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf2011-02-24T17:12:18Z<p>John.wilander: </p>
<hr />
<div></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Category:Summit_2011_Browser_Security_Track&diff=103663Category:Summit 2011 Browser Security Track2011-02-06T17:48:23Z<p>John.wilander: Added David and Lucas as co-chairs for Site Content Security</p>
<hr />
<div>[[Image:T._browser_security.jpg]]<br><br><br />
[[Image:Google-groups-logo-1.jpg|link=https://groups.google.com/group/owasp-summit-browsersec]][https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track]<br><br />
==== About ====<br />
The Browser Security track of the OWASP Summit 2011 is a community effort to bring together browser vendors, major web app providers, and OWASP leaders to discuss what can be done to enhance web security through the browser. The track comprises '''a full day of workshops on chosen subtopics''' (see below). We have invited some of the world's top experts to maximize the chances of moving forward this important area or application security.<br />
<br />
Browser vendors attending so far: [http://www.google.com/chrome http://www.owasp.org/images/f/f6/Chrome_small.jpg] [http://www.mozilla.com/en-US/firefox/ http://www.owasp.org/images/4/47/Firefox_small.jpg] [http://ie.microsoft.com/testdrive/info/downloads/Default.html http://www.owasp.org/images/6/62/Internet_explorer_small.jpg]<br />
<br />
Major web app providers attending so far: [http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif] [http://www.facebook.com http://www.owasp.org/images/8/8f/Facebook_logo_small.jpg]<br />
<br />
[https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track] today and get involved in planning, working forms etc.<br />
<br />
Welcome!<br><br />
/John Wilander, Session Chair<br />
==== DOM Sandboxing ====<br />
===Virtualization and Sandboxing for Secure Multi-Domain Web Apps===<br />
<br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
Goals and issues that need browser vendor cooperation:<br />
* '''Attenuated versions of existing apis to sandboxed code'''. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.<br />
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?<br />
* '''Create a standard for modifying a sandboxed environment'''<br />
* '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
* '''Adopt a simpler rights amplification api''' like [http://web-send.org/introducer Web Introducer]<br />
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
===Working Form===<br />
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
<br />
==== HTML5 ====<br />
===HTML5 Security===<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Handle autofocus in a unified and secure way'''. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.<br />
* '''Discuss necessity and capability for the HTML5 form controls'''. Do we need a non-SOP formaction attribute and why? <br />
* '''Goal I''': Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help<br />
* '''Goal II''': Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.<br />
* '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade<br />
<br />
==== EcmaScript 5====<br />
=== EcmaScript 5 Security ===<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''. Implement it if not yet done.<br />
* '''Goal I''': Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.<br />
* '''Goal II''': Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.<br />
* '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. <br />
<br />
<br />
==== Site Security Policy ====<br />
There are several initiatives for expressing and enforcing website security policies. [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced TLS. [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting resource domains and enforcing file-only JavaScript. [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for enforce framing restrictions. Harmonizing these features among browsers is a huge task. Getting developers to adopt and implement is even more challenging. This session will try to address all of these questions as well as the technical alternatives – headers, meta tags, nonces, signatures, html zones, css-like policies, violation events etc.<br />
<br />
* Should we have independent, coherent and simple policy mechanisms or a generalized, extensible policy mechanism?<br />
* Should developers have multiple choices for expressing policies such as headers ''and'' meta tags?<br />
* Should policies restrict domains, URLs, or elements? What are the consequences?<br />
* Should one or two browser vendors deploy a policy mechanism in the field, collect experience, and then we set a standard?<br />
* How do we help developers understand the need for policies and how do we help them write/generate/maintain policies?<br />
* How important is performance and web 1.0/web 2.0 compliance? How much of the web can we afford to break? 0 %?<br />
<br />
===Co-chair Jeff Hodges===<br />
Jeff Hodges is Distinguished Security Engineer at PayPal, Inc and one of the three original authors of the [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] spec. Check out [http://identitymeme.org/ IdentityMeme.org Jeff's blog].<br />
<br />
===Co-chair David Ross===<br />
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, David spent his formative years on the Internet Explorer Security Team and wears the battle scars with pride. Check out [http://blogs.msdn.com/dross David’s blog].<br />
<br />
===Co-chair Lucas Adamski===<br />
Lucas Adamski is the Director of Security Engineering at Mozilla Corporation. He specializes in penetration testing, incident response, spec and code reviews, fuzzing, training, security processes and software PLC. Check out [http://blog.mozilla.com/ladamski/ Lucas' blog].<br />
<br />
==== Enduser Warnings ====<br />
===Enduser Warnings===<br />
[[Image:Three_browsers_user_info.jpg]]<br />
<br />
===Subjects and Goals (draft)===<br />
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.<br />
<br />
* How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but moved back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.<br />
* How should browsers communicate other kinds of information such as privacy, malware warnings, "not visited before" etc? Forbes had an interesting example of [http://blogs.forbes.com/kashmirhill/2011/01/05/visualizing-better-privacy-policies/?boxes=Homepagechannels how to visualize privacy].<br />
<br />
Some additional information, thoughts and discussions on these subjects elsewhere:<br />
<br />
* [http://www.freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent], Freedom to Tinker, 18 Jan 2011<br />
* [http://intrepidusgroup.com/insight/2010/04/security-dialogs-and-graphics/ Security Dialogs and Graphics], Insight, 27 Apr 2010<br />
* [http://www.w3.org/TR/wsc-ui/ Web Security Context: User Interface Guidelines], W3C, 12 Aug 2010<br />
* [http://www.clerkendweller.com/2009/7/28/Colour-Overload-with-IE8-Tab-Grouping Colour Overload with IE8 Tab Grouping], Clerkendweller, 28 Jul 2009<br />
* [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies], IEEE Symposium on Security and Privacy, May 2007<br />
<br />
<br />
==== Securing Plugins ====<br />
===Securing Plugins===<br />
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?<br />
<br />
<br />
==== Blacklisting ====<br />
===Blacklisting===<br />
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?<br />
<br />
<br />
==== OS Integration ====<br />
===OS Integration===<br />
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?<br />
<br />
==== Sandboxed Browser ====<br />
=== Sandboxed Tabs/Domains/Browser ===<br />
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.<br />
<br />
__NOTOC__ <br />
<headertabs /> <br />
<br />
Questions? Contact [mailto:john.wilander@owasp.org John Wilander, Session Chair]<br><br><br />
[[Summit_2011|'''Return Global Summit 2011 Home Page''']]<br><br />
[[:Category:Summit_2011_Tracks|'''Return to Global Summit 2011 Working Sessions''']]<br />
<br />
[[Category:Summit_2011]]<br />
[[Category: Summit 2011 Tracks]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=User:John.wilander&diff=103267User:John.wilander2011-02-03T17:25:14Z<p>John.wilander: Added Twitter link</p>
<hr />
<div>[[Image:John_Wilander_090626-346_(for_web).jpg|John Wilander]]<br />
<br />
John Wilander is an application security researcher and consultant. He is a partner and evangelist at Omegapoint, a consultancy firm based in Sweden. John typically works as a security focused software developer. Java and JavaScript are his languages of choice.<br />
<br />
After his Master's degree in Computer Science and Engineering from Linköping University (Sweden) and Nanyang Technological University (Singapore) he pursued a PhD in application security. Last paper still pending but John's research publications can be found [http://www.ida.liu.se/~johwi/research_publications/ here].<br />
<br />
John started the Swedish OWASP Chapter in 2007 and has since been leader and co-leader. In 2010 he chaired the most successful OWASP AppSec EU conference so far – [http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010]. John along with the Swedish chapter are listed as contributors to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 2010].<br />
<br />
For more detailed information, please see my public LinkedIn [http://www.linkedin.com/in/johnwilander page].<br />
<br />
* To see my wiki contributions, [[:Special:Contributions/John.wilander|click here]]<br />
* [mailto:john.wilander@owasp.org Email address]<br />
* [https://twitter.com/johnwilander Twitter]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=User:John.wilander&diff=103265User:John.wilander2011-02-03T17:23:34Z<p>John.wilander: Added portrait</p>
<hr />
<div>[[Image:John_Wilander_090626-346_(for_web).jpg|John Wilander]]<br />
<br />
John Wilander is an application security researcher and consultant. He is a partner and evangelist at Omegapoint, a consultancy firm based in Sweden. John typically works as a security focused software developer. Java and JavaScript are his languages of choice.<br />
<br />
After his Master's degree in Computer Science and Engineering from Linköping University (Sweden) and Nanyang Technological University (Singapore) he pursued a PhD in application security. Last paper still pending but John's research publications can be found [http://www.ida.liu.se/~johwi/research_publications/ here].<br />
<br />
John started the Swedish OWASP Chapter in 2007 and has since been leader and co-leader. In 2010 he chaired the most successful OWASP AppSec EU conference so far – [http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010]. John along with the Swedish chapter are listed as contributors to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 2010].<br />
<br />
For more detailed information, please see my public LinkedIn [http://www.linkedin.com/in/johnwilander page].<br />
<br />
* To see my wiki contributions, [[:Special:Contributions/John.wilander|click here]].<br />
* [mailto:john.wilander@owasp.org Email address].</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:John_Wilander_090626-346_(for_web).jpg&diff=103264File:John Wilander 090626-346 (for web).jpg2011-02-03T17:22:54Z<p>John.wilander: uploaded a new version of "File:John Wilander 090626-346 (for web).jpg"</p>
<hr />
<div>Profile picture for John Wilander</div>John.wilanderhttps://wiki.owasp.org/index.php?title=File:John_Wilander_090626-346_(for_web).jpg&diff=103261File:John Wilander 090626-346 (for web).jpg2011-02-03T17:18:37Z<p>John.wilander: Profile picture for John Wilander</p>
<hr />
<div>Profile picture for John Wilander</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=102910Sweden2011-02-01T14:38:31Z<p>John.wilander: Added OWASP AppSec Research 2010 for archive purposes</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<paypal>Sweden</paypal><br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP AppSec Research 2010 in Stockholm, June 21-24 2010'''<br />
June 21-24, 2010 appsec people will meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark together with Stockholm University host the [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP AppSec Research 2010].<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=102909Sweden2011-02-01T14:35:25Z<p>John.wilander: Added Mario event March 7</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<paypal>Sweden</paypal><br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, March 7 2011, "Security impact of SVG" + ""ECMA Script 5, a frozen DOM and the eradication of XSS'''<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis.<br />
<br />
We're very happy to invite Mario to OWASP Sweden in March. His two talks will be given in English at Royal Institute of Technology (KTH).<br />
<br />
Get your ticket now at [http://marioheiderich.eventbrite.com/ Eventbrite].<br />
<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Sweden&diff=102908Sweden2011-02-01T14:29:03Z<p>John.wilander: Added HTTP Sec event Jan 31 (archive purpose, invite via email and Eventbrite)</p>
<hr />
<div>{{Chapter Template|chaptername=Sweden|extra=The chapter co-leaders are [mailto:John.Wilander@owasp.org John Wilander], [mailto:Mattias.Bergling@owasp.org Mattias Bergling], and [mailto:Robert.Malmgren@owasp.org Robert Malmgren]<br />
<br />
<paypal>Sweden</paypal><br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sweden|emailarchives=http://lists.owasp.org/pipermail/owasp-sweden}}<br />
<br />
== The OWASP Sweden blog ==<br />
<br />
For lengthy news and event reports please visit the [http://owaspsweden.blogspot.com/ OWASP Sweden blog] (in Swedish).<br />
<br />
== Local News ==<br />
<br />
'''OWASP Sweden Meeting, Jan 31 2011, "HTTP-säkerhet"'''<br />
Daniel Stenberg, Martin Holst Swende, and John Wilander will give talks for OWASP Sweden on Jan 31, 5:30 pm - 21 pm. The topics are Websockets, the new Cookie RFC, Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options. We will be in lecture hall "New York", World Trade Center, Stockholm ([http://www.hitta.se/SearchMixed.aspx?vad=world%20trade%20center&var=stockholm map]).<br />
<br />
[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers.<br />
<br />
<br />
'''OWASP Sweden reaches 500 members ... and gets three leaders'''<br />
OWASP Sweden now has a stunning 500 members on the mailing list. From now the chapter will be lead by three co-leaders: John Wilander, Mattias Bergling, and Robert Malmgren.<br />
<br />
<br />
'''OWASP Sweden invites Samy Kamkar, October 4, 2010'''<br />
Samy Kamkar, famous for the [http://en.wikipedia.org/wiki/Samy_(XSS) Samy XSS attack on MySpace] in 2005 will be giving a talk for OWASP Sweden on October 4, 5:30 pm - 22 pm. We will be in Ljusgården, Årstaängsvägen 19, Marievik/Liljeholmen, Stockholm ([http://www.hitta.se/LargeMap.aspx?var=%c5rsta%e4ngsv%e4gen+19%2c+Liljeholmen%2fMarievik%2c+Stockholm map]).<br />
<br />
Nexus Safe and Data@UrService are sponsors and there will be lighter food and beers.<br />
<br />
[[Media:OWASP_Sweden_Samy_Kamkar_oktober_2010.pdf]]<br />
<br />
Go to [http://samykamkar.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden + FOSS Sthlm "Community Hack" September 4-5 2010'''<br />
The first weekend of September OWASP Sweden together with FOSS Sthlm invite our members to Community Hack II in Stockholm. A full weekend of hacking on open projects, testing new security hacks, trying out tools (for instance the favorite OWASP tool you've always wanted to learn), or writing new, open guidelines.<br />
<br />
Go to [http://communityhack2.eventbrite.com/ EventBrite] and register for free now!<br />
<br />
<br />
'''OWASP-Sweden Meeting January 21st 2010 -- The Big Protocols'''<br />
Stiftelsen för Internetinfrastruktur (.SE) and Swedish Network Users' Society (SNUS) invite us to three seminars on the big protocols: BGP, DNSSEC, and SSL/TLS.<br />
<br />
Program and invitation (in Swedish): [[File:OWASP_Sweden_-_De_stora_protokollen_2010-01-21.pdf]]<br />
<br />
<br />
'''OWASP-Sweden Meeting December 2nd 2009 -- OWASP Top 10 2010 (rc1)'''<br />
Omegapoint invites us to discuss the release candidate of OWASP Top 10 2010 that was presented at OWASP AppSec DC November 13th. The invitation in Swedish is found [[File:OWASP_Sweden_Top_10_december_2009.pdf | here]]. <br />
'''Don't forget to send an email to John Wilander (john.wilander@owasp.org) no later than November 23rd to say you're coming.''' Seats usually fill up fast.<br />
<br />
<br />
'''OWASP AppSec Research 2010, June 21-24 in Stockholm, Sweden'''<br />
OWASP Sweden, Norway, and Denmark invite you to OWASP AppSec Research 2010, June 21-24 in Stockholm. Read more on the [https://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm%2C_Sweden conference wiki page].<br />
<br />
<br />
'''OWASP-Sweden Meeting April 28th 2009 -- Code Analysis and Review'''<br />
<br />
The second chapter meeting of 2009 will be held on Tuesday April 28th at Clarion Hotel Stockholm. The focus is code analysis and code review. Fortify sponsors the event and welcome the chapter members to refreshments, starting at 17.30.<br />
<br />
The program:<br />
<br />
* Fredrik Möller (Fortify) will biefly present Fortify and their support of OWASP<br />
* David Anumudu (Fortify) will present and do a live demo of Fortify Solution<br />
* James Dickson (Simovits Consulting) will give a talk on code review<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than April 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting March 26th 2009 -- XSS & CSRF'''<br />
<br />
The first meeting of 2009 will be held Thursday March 26th at LabCenter, Oxtorgsgränd 2, Stockholm. The focus is cross-site scripting and cross-site request forgery, attacks and countermeasures. Inspect it and LabCenter sponsor the event and welcome the chapter members to refreshments, starting at 17.00.<br />
<br />
The program:<br />
<br />
* Hasain Alshakarti, TrueSec: "XSS & CSRF -- A Deadly Cocktail"<br />
* Sergio Molero, Concrete IT: "Skydd mot XSS och CSRF"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than March 23rd to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting November 19th 2008 -- PCI DSS'''<br />
<br />
The next chapter meeting is Wednesday November 19th. The focus of the seminars is on PCI-DSS, i.e. security in payment card handling on the Internet. <br />
The program:<br />
* Mats Henriksson, Pan Nordic Card Assoc: "PCI DSS - Tre goda anledningar"<br />
* Pål Göran Stensson, Defensor Sverige AB: "PCI DSS - Externa krav och konsulten"<br />
* Bengt Berg, Cybercom Sweden East AB: "Olika angreppssätt på PCI DSS"<br />
<br />
'''The meeting is fully booked. But do send an email to John Wilander (john.wilander@omegapoint.se) to say you're interested and we'll let you know if seats become available.'''<br />
<br />
<br />
'''OWASP Sweden Hosts the OWASP AppSec Europe Conference 2010'''<br />
<br />
We're hosting the European OWASP AppSec conference in 2010! Please read the [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2010_-_Sweden announcement].<br />
<br />
<br />
'''OWASP-Sweden Meeting October 6th 2008 -- Security in the Open Source Process'''<br />
<br />
The next chapter meeting is Monday October 6th at Clarion Hotel Stockholm (Skanstull). The focus of the seminars will be on "Security in the Open Source Process". Refreshments will be served from 16:30 and the seminars will commence at 17:30. Except for a closing panel discussion the program contains the following:<br />
<br />
* Simon Josefsson, SJD: ”Anekdoter och lärdomar från granskning av säkerhetsprogram”<br />
* Daniel Stenberg, daniel.haxx.se: ”Säker kod och utveckling i cURL-projektet”<br />
* Anders Karlsson, MySQL och Sun Microsystems: ”MySQL: Säkerhet i ett kommersiellt open source-projekt”<br />
<br />
'''Don't forget to send an email to Robert Malmgren (anmalan@romab.com) no later than September 29th to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''OWASP-Sweden Meeting May 27th 2008 - SQL Injection, Web Scarab'''<br />
<br />
OWASP-Sweden welcomes its members to the next chapter meeting - Tuesday May 27th at Clarion Hotel Stockholm. Refreshments will be served from 17:00, demos will be shown from 17:30, and the seminars will commence at 18:00. The main attractions are:<br />
<br />
* Patrik Karlson, Inspect it: "SQL injection, identifiering och utnyttjande"<br />
* Johannes Gumbel, TrueSec: "WebScarab—funktioner, fördelar och nackdelar"<br />
<br />
'''Don't forget to send an email to Mattias Bergling (mattias.bergling@inspectit.se) no later than May 21st to say you're coming.''' We need to know how many will turn up.<br />
<br />
<br />
'''Kick-Off Meeting for OWASP-Sweden April 1st 2008'''<br />
<br />
The OWASP-Sweden kick-off will be held at WTC in Stockholm on April 1st. Yeah, it's April Fool's Day but we go under the tagline "Application Security is Not a Joke". The presentation program includes:<br />
<br />
* Andrei Sabelfeld, well-known security researcher from Chalmers<br />
* Michael Anderberg, Chief Security Advisor at Microsoft Sweden<br />
* Per Mellstrand, software analyst at Sony Ericsson and researcher at Blekinge Institute of Technology<br />
<br />
'''Don't forget to send an email to John Wilander (john.wilander@omegapoint.se) no later than March 27 to say you're coming.''' We need to know how many will turn up.<br />
<br />
We're kicking off!<br />
<br />
<br />
'''OWASP-Sweden in Computer Sweden - 08:44, 19 Dec 2007 (EDT)'''<br />
<br />
Today the Swedish national IT newspaper 'Computer Sweden' published an article on the new OWASP-Sweden chapter - [http://computersweden.idg.se/2.2683/1.137387 ''Mecka för säker programmering till Sverige''], or ''A Mecka for Secure Programming Reaches Sweden'' in English. While OWASP is more than a programmer's guide, Mattias Bergling and I are very happy to get the news out to a large part of Sweden's IT industry.<br />
<br />
'''To become a member of Owasp-Sweden just join the [http://lists.owasp.org/mailman/listinfo/owasp-sweden mailing list].'''<br />
<br />
<br />
'''OWASP-Sweden opens! - 22:25, 01 Oct 2007 (EDT)'''<br />
<br />
Finally, Sweden has joined the OWASP movement and John Wilander, the local chapter leader, welcomes members to the Stockholm-based OWASP-Sweden. Please, join our mailing list. Plans for meetings and seminars will be made.<br />
<br />
Are you interested in helping out? Do you have ideas for great invited speakers or workshop meetings? Feel free to contact the chapter.</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Category:Summit_2011_Browser_Security_Track&diff=102305Category:Summit 2011 Browser Security Track2011-01-27T14:45:13Z<p>John.wilander: </p>
<hr />
<div>[[Image:T._browser_security.jpg]]<br><br><br />
[[Image:Google-groups-logo-1.jpg|link=https://groups.google.com/group/owasp-summit-browsersec]][https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track]<br><br />
==== About ====<br />
The Browser Security track of the OWASP Summit 2011 is a community effort to bring together browser vendors, major web app providers, and OWASP leaders to discuss what can be done to enhance web security through the browser. The track comprises '''a full day of workshops on chosen subtopics''' (see below). We have invited some of the world's top experts to maximize the chances of moving forward this important area or application security.<br />
<br />
Browser vendors attending so far: [http://www.google.com/chrome http://www.owasp.org/images/f/f6/Chrome_small.jpg] [http://www.mozilla.com/en-US/firefox/ http://www.owasp.org/images/4/47/Firefox_small.jpg] [http://ie.microsoft.com/testdrive/info/downloads/Default.html http://www.owasp.org/images/6/62/Internet_explorer_small.jpg]<br />
<br />
Major web app providers attending so far: [http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif] [http://www.facebook.com http://www.owasp.org/images/8/8f/Facebook_logo_small.jpg]<br />
<br />
[https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track] today and get involved in planning, working forms etc.<br />
<br />
Welcome!<br><br />
/John Wilander, Session Chair<br />
==== DOM Sandboxing ====<br />
===Virtualization and Sandboxing for Secure Multi-Domain Web Apps===<br />
<br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
Goals and issues that need browser vendor cooperation:<br />
* '''Attenuated versions of existing apis to sandboxed code'''. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.<br />
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?<br />
* '''Create a standard for modifying a sandboxed environment'''<br />
* '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
* '''Adopt a simpler rights amplification api''' like [http://web-send.org/introducer Web Introducer]<br />
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
===Working Form===<br />
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
<br />
==== HTML5 ====<br />
===HTML5 Security===<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Handle autofocus in a unified and secure way'''. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.<br />
* '''Discuss necessity and capability for the HTML5 form controls'''. Do we need a non-SOP formaction attribute and why? <br />
* '''Goal I''': Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help<br />
* '''Goal II''': Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.<br />
* '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade<br />
<br />
==== EcmaScript 5====<br />
=== EcmaScript 5 Security ===<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''. Implement it if not yet done.<br />
* '''Goal I''': Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.<br />
* '''Goal II''': Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.<br />
* '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. <br />
<br />
<br />
==== Site Security Policy ====<br />
There are several initiatives for expressing and enforcing website security policies. [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced TLS. [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting resource domains and enforcing file-only JavaScript. [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for enforce framing restrictions. Harmonizing these features among browsers is a huge task. Getting developers to adopt and implement is even more challenging. This session will try to address all of these questions as well as the technical alternatives – headers, meta tags, nonces, signatures, html zones, css-like policies, violation events etc.<br />
<br />
* Should we have independent, coherent and simple policy mechanisms or a generalized, extensible policy mechanism?<br />
* Should developers have multiple choices for expressing policies such as headers ''and'' meta tags?<br />
* Should policies restrict domains, URLs, or elements? What are the consequences?<br />
* Should one or two browser vendors deploy a policy mechanism in the field, collect experience, and then we set a standard?<br />
* How do we help developers understand the need for policies and how do we help them write/generate/maintain policies?<br />
* How important is performance and web 1.0/web 2.0 compliance? How much of the web can we afford to break? 0 %?<br />
<br />
===Co-chair Jeff Hodges===<br />
Jeff Hodges is Distinguished Security Engineer at PayPal, Inc and one of the three original authors of the [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] spec. Check out his blog [http://identitymeme.org/ IdentityMeme.org].<br />
<br />
===Co-chair Michael Coates===<br />
[http://www.owasp.org/index.php/User:MichaelCoates Michael Coates] is a long-time OWASP contributor and leader, as well as a Mozilla employee. He leads the [http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project AppSensor] and the [http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet TLS Cheat Sheet] project.<br />
<br />
<br />
==== Enduser Warnings ====<br />
===Enduser Warnings===<br />
[[Image:Three_browsers_user_info.jpg]]<br />
<br />
===Subjects and Goals (draft)===<br />
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.<br />
<br />
* How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but moved back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.<br />
* How should browsers communicate other kinds of information such as privacy, malware warnings, "not visited before" etc? Forbes had an interesting example of [http://blogs.forbes.com/kashmirhill/2011/01/05/visualizing-better-privacy-policies/?boxes=Homepagechannels how to visualize privacy].<br />
<br />
Some additional information, thoughts and discussions on these subjects elsewhere:<br />
<br />
* [http://www.freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent], Freedom to Tinker, 18 Jan 2011<br />
* [http://intrepidusgroup.com/insight/2010/04/security-dialogs-and-graphics/ Security Dialogs and Graphics], Insight, 27 Apr 2010<br />
* [http://www.w3.org/TR/wsc-ui/ Web Security Context: User Interface Guidelines], W3C, 12 Aug 2010<br />
* [http://www.clerkendweller.com/2009/7/28/Colour-Overload-with-IE8-Tab-Grouping Colour Overload with IE8 Tab Grouping], Clerkendweller, 28 Jul 2009<br />
* [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies], IEEE Symposium on Security and Privacy, May 2007<br />
<br />
<br />
==== Securing Plugins ====<br />
===Securing Plugins===<br />
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?<br />
<br />
<br />
==== Blacklisting ====<br />
===Blacklisting===<br />
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?<br />
<br />
<br />
==== OS Integration ====<br />
===OS Integration===<br />
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?<br />
<br />
==== Sandboxed Browser ====<br />
=== Sandboxed Tabs/Domains/Browser ===<br />
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.<br />
<br />
__NOTOC__ <br />
<headertabs /> <br />
<br />
Questions? Contact [mailto:john.wilander@owasp.org John Wilander, Session Chair]<br><br><br />
[[Summit_2011|'''Return Global Summit 2011 Home Page''']]<br><br />
[[:Category:Summit_2011_Tracks|'''Return to Global Summit 2011 Working Sessions''']]<br />
<br />
[[Category:Summit_2011]]<br />
[[Category: Summit 2011 Tracks]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Category:Summit_2011_Browser_Security_Track&diff=102304Category:Summit 2011 Browser Security Track2011-01-27T14:44:15Z<p>John.wilander: Rework of "New HTTP Headers" -> "Site Security Policy". New agenda, new chair. Switched ordering of "Site Security Policy" and "Enduser Warnings".</p>
<hr />
<div>[[Image:T._browser_security.jpg]]<br><br><br />
[[Image:Google-groups-logo-1.jpg|link=https://groups.google.com/group/owasp-summit-browsersec]][https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track]<br><br />
==== About ====<br />
The Browser Security track of the OWASP Summit 2011 is a community effort to bring together browser vendors, major web app providers, and OWASP leaders to discuss what can be done to enhance web security through the browser. The track comprises '''a full day of workshops on chosen subtopics''' (see below). We have invited some of the world's top experts to maximize the chances of moving forward this important area or application security.<br />
<br />
Browser vendors attending so far: [http://www.google.com/chrome http://www.owasp.org/images/f/f6/Chrome_small.jpg] [http://www.mozilla.com/en-US/firefox/ http://www.owasp.org/images/4/47/Firefox_small.jpg] [http://ie.microsoft.com/testdrive/info/downloads/Default.html http://www.owasp.org/images/6/62/Internet_explorer_small.jpg]<br />
<br />
Major web app providers attending so far: [http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif] [http://www.facebook.com http://www.owasp.org/images/8/8f/Facebook_logo_small.jpg]<br />
<br />
[https://groups.google.com/group/owasp-summit-browsersec Join the Google Group for this track] today and get involved in planning, working forms etc.<br />
<br />
Welcome!<br><br />
/John Wilander, Session Chair<br />
==== DOM Sandboxing ====<br />
===Virtualization and Sandboxing for Secure Multi-Domain Web Apps===<br />
<br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
Goals and issues that need browser vendor cooperation:<br />
* '''Attenuated versions of existing apis to sandboxed code'''. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.<br />
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?<br />
* '''Create a standard for modifying a sandboxed environment'''<br />
* '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
* '''Adopt a simpler rights amplification api''' like [http://web-send.org/introducer Web Introducer]<br />
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
===Working Form===<br />
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
<br />
==== HTML5 ====<br />
===HTML5 Security===<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Handle autofocus in a unified and secure way'''. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.<br />
* '''Discuss necessity and capability for the HTML5 form controls'''. Do we need a non-SOP formaction attribute and why? <br />
* '''Goal I''': Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help<br />
* '''Goal II''': Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.<br />
* '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade<br />
<br />
==== EcmaScript 5====<br />
=== EcmaScript 5 Security ===<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
===Subjects and Goals (draft)===<br />
* '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''. Implement it if not yet done.<br />
* '''Goal I''': Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.<br />
* '''Goal II''': Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.<br />
* '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. <br />
<br />
<br />
==== Site Security Policy ====<br />
There are several initiatives for expressing and enforcing website security policies. [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced TLS. [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting resource domains and enforcing file-only JavaScript. [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for enforce framing restrictions. Harmonizing these features among browsers is a huge task. Getting developers to adopt and implement is even more challenging. This session will try to address all of these questions as well as the technical alternatives – headers, meta tags, nonces, signatures, html zones, css-like policies, violation events etc.<br />
<br />
* Should we have independent, coherent and simple policy mechanisms or a generalized, extensible policy mechanism for scripting?<br />
* Should developers have multiple choices for expressing policies such as headers ''and'' meta tags?<br />
* Should policies restrict domains, URLs, or elements? What are the consequences?<br />
* Should one or two browser vendors deploy a policy mechanism in the field, collect experience, and then we set a standard?<br />
* How do we help developers understand the need for policies and how do we help them write/generate/maintain policies?<br />
* How important is performance and web 1.0/web 2.0 compliance? How much of the web can we afford to break? 0 %?<br />
<br />
===Co-chair Jeff Hodges===<br />
Jeff Hodges is Distinguished Security Engineer at PayPal, Inc and one of the three original authors of the [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] spec. Check out his blog [http://identitymeme.org/ IdentityMeme.org].<br />
<br />
===Co-chair Michael Coates===<br />
[http://www.owasp.org/index.php/User:MichaelCoates Michael Coates] is a long-time OWASP contributor and leader, as well as a Mozilla employee. He leads the [http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project AppSensor] and the [http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet TLS Cheat Sheet] project.<br />
<br />
<br />
==== Enduser Warnings ====<br />
===Enduser Warnings===<br />
[[Image:Three_browsers_user_info.jpg]]<br />
<br />
===Subjects and Goals (draft)===<br />
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.<br />
<br />
* How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but moved back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.<br />
* How should browsers communicate other kinds of information such as privacy, malware warnings, "not visited before" etc? Forbes had an interesting example of [http://blogs.forbes.com/kashmirhill/2011/01/05/visualizing-better-privacy-policies/?boxes=Homepagechannels how to visualize privacy].<br />
<br />
Some additional information, thoughts and discussions on these subjects elsewhere:<br />
<br />
* [http://www.freedom-to-tinker.com/blog/sjs/web-browser-security-user-interfaces-hard-get-right-and-increasingly-inconsistent Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent], Freedom to Tinker, 18 Jan 2011<br />
* [http://intrepidusgroup.com/insight/2010/04/security-dialogs-and-graphics/ Security Dialogs and Graphics], Insight, 27 Apr 2010<br />
* [http://www.w3.org/TR/wsc-ui/ Web Security Context: User Interface Guidelines], W3C, 12 Aug 2010<br />
* [http://www.clerkendweller.com/2009/7/28/Colour-Overload-with-IE8-Tab-Grouping Colour Overload with IE8 Tab Grouping], Clerkendweller, 28 Jul 2009<br />
* [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies], IEEE Symposium on Security and Privacy, May 2007<br />
<br />
<br />
==== Securing Plugins ====<br />
===Securing Plugins===<br />
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?<br />
<br />
<br />
==== Blacklisting ====<br />
===Blacklisting===<br />
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?<br />
<br />
<br />
==== OS Integration ====<br />
===OS Integration===<br />
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?<br />
<br />
==== Sandboxed Browser ====<br />
=== Sandboxed Tabs/Domains/Browser ===<br />
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.<br />
<br />
__NOTOC__ <br />
<headertabs /> <br />
<br />
Questions? Contact [mailto:john.wilander@owasp.org John Wilander, Session Chair]<br><br><br />
[[Summit_2011|'''Return Global Summit 2011 Home Page''']]<br><br />
[[:Category:Summit_2011_Tracks|'''Return to Global Summit 2011 Working Sessions''']]<br />
<br />
[[Category:Summit_2011]]<br />
[[Category: Summit 2011 Tracks]]</div>John.wilanderhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session003&diff=102299Summit 2011 Working Sessions/Session0032011-01-27T13:24:49Z<p>John.wilander: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = John Wilander<br />
| summit_session_attendee_email1 = john.wilander@owasp.org<br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Michael Coates<br />
| summit_session_attendee_email2 = Michael.Coates@owasp.org<br />
| summit_session_attendee_company2=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Colin Watson<br />
| summit_session_attendee_email3 = colin.watson@owasp.org<br />
| summit_session_attendee_company3=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Stefano Di Paola<br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_company4=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = Isaac Dawson<br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_company5= Veracode<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_company6=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._browser_security.jpg]]<br />
| summit_ws_logo = [[Image:WS._browser_security.jpg]]<br />
| summit_session_name = EcmaScript 5 Security<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session003<br />
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br />
|-<br />
<br />
| short_working_session_description= <br />
|-<br />
<br />
| related_project_name1 = Browser Security Track - main page<br />
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br />
<br />
| related_project_name2 = Google Group for the Browser Security Track<br />
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''.<noinclude> Implement it if not yet done.</noinclude><br />
<br />
| summit_session_objective_name2 = <noinclude>'''Goal I''': </noinclude>Raise awareness for the power or object freezing in a security context. <noinclude>ES5 can really make a change here.</noinclude><br />
<br />
| summit_session_objective_name3 = <noinclude>'''Goal II''':</noinclude> Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. <noinclude> CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.</noinclude><br />
<br />
| summit_session_objective_name4 = '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. <noinclude>Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. </noinclude><br />
<br />
| summit_session_objective_name5 = <br />
|-<br />
<br />
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA<br />
<br />
|-<br />
<br />
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br><br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair 2===<br />
To be confirmed.<br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = Browser Security Report<br />
<br />
|summit_session_deliverable_name2 = Browser Security Priority List<br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Mario Heiderich<br />
| summit_session_leader_email1 = <br />
| summit_session_leader_username1 =<br />
<br />
| summit_session_leader_name2 = TBC<br />
| summit_session_leader_email2 = <br />
| summit_session_leader_username2 =<br />
<br />
| summit_session_leader_name3 =<br />
| summit_session_leader_email3 = <br />
| summit_session_leader_username3 =<br />
<br />
|-<br />
<br />
| operational_leader_name1 = John Wilander<br />
| operational_leader_email1 = john.wilander@owasp.org<br />
<br />
|-<br />
| meeting_notes = <br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session003<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session003<br />
}}<br />
</includeonly></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session002&diff=102295Summit 2011 Working Sessions/Session0022011-01-27T12:47:58Z<p>John.wilander: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = John Wilander<br />
| summit_session_attendee_email1 = john.wilander@owasp.org<br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Michael Coates<br />
| summit_session_attendee_email2 = Michael.Coates@owasp.org<br />
| summit_session_attendee_company2=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Colin Watson<br />
| summit_session_attendee_email3 = colin.watson@owasp.org<br />
| summit_session_attendee_company3=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Stefano Di Paola<br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_company4=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = Isaac Dawson<br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_company5= Veracode<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_company6=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._browser_security.jpg]]<br />
| summit_ws_logo = [[Image:WS._browser_security.jpg]]<br />
| summit_session_name = HTML5 Security<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002<br />
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br />
|-<br />
<br />
| short_working_session_description= <br />
|-<br />
<br />
| related_project_name1 = Browser Security Track - main page<br />
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br />
<br />
| related_project_name2 = Google Group for the Browser Security Track<br />
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= '''Handle autofocus in a unified and secure way'''.<noinclude> Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.</noinclude><br />
<br />
| summit_session_objective_name2 = '''Discuss necessity and capability for the HTML5 form controls'''.<noinclude> Do we need a non-SOP formaction attribute and why? </noinclude><br />
<br />
| summit_session_objective_name3 = <noinclude>'''Goal I''':</noinclude> Initiate and create documentation and references for developers that address security issues. <noinclude>Html5sec.org is a start but impossible to continue or extend large scale without vendor help</noinclude><br />
<br />
| summit_session_objective_name4 = <noinclude>'''Goal II''':</noinclude>Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. <noinclude>Mainly Opera and Mozilla are addressed here.</noinclude><br />
<br />
| summit_session_objective_name5 = '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. <noinclude>Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade.</noinclude><br />
|-<br />
<br />
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA<br />
<br />
|-<br />
<br />
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br><br />
<br />
[[Image:Html5_mario_hackvertor.jpg]]<br />
<br />
===Co-chair Mario Heiderich===<br />
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = Browser Security Report<br />
|summit_session_deliverable_url_1 = <br />
<br />
|summit_session_deliverable_name2 = Browser Security Priority Report<br />
|summit_session_deliverable_url_2 = <br />
<br />
|summit_session_deliverable_name3 = <br />
|summit_session_deliverable_url_3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
|summit_session_deliverable_url_4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
|summit_session_deliverable_url_5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
|summit_session_deliverable_url_6 =<br />
<br />
|summit_session_deliverable_name7 = <br />
|summit_session_deliverable_url_7 =<br />
<br />
|summit_session_deliverable_name8 = <br />
|summit_session_deliverable_url_8 =<br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Mario Heiderich<br />
| summit_session_leader_email1 = <br />
| summit_session_leader_username1 =<br />
<br />
| summit_session_leader_name2 = Gareth Heyes<br />
| summit_session_leader_email2 = gazheyes@gmail.com<br />
| summit_session_leader_username2 = Gareth Heyes<br />
<br />
| summit_session_leader_name3 =<br />
| summit_session_leader_email3 = <br />
| summit_session_leader_username3 =<br />
<br />
|-<br />
<br />
| operational_leader_name1 = John Wilander<br />
| operational_leader_email1 = john.wilander@owasp.org<br />
<br />
|-<br />
| meeting_notes = <br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session002<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session002<br />
}}<br />
</includeonly></div>John.wilanderhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session001&diff=102294Summit 2011 Working Sessions/Session0012011-01-27T12:46:43Z<p>John.wilander: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = Email John Wilander if you are unable to edit the Wiki and would like to sign up!<br />
| summit_session_attendee_email1 = john.wilander@owasp.org<br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Michael Coates<br />
| summit_session_attendee_email2 = <br />
| summit_session_attendee_company2=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Colin Watson<br />
| summit_session_attendee_email3 = <br />
| summit_session_attendee_company3=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Stefano Di Paola<br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_company4=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = Isaac Dawson<br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_company5= Veracode<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_company6=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._browser_security.jpg]]<br />
| summit_ws_logo = [[Image:WS._browser_security.jpg]]<br />
| summit_session_name = DOM Sandboxing<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session001<br />
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br />
|-<br />
<br />
| short_working_session_description= '''Virtualization and Sandboxing for Secure Multi-Domain Web Apps'''<br />
|-<br />
<br />
| related_project_name1 = Browser Security Track - main page<br />
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br />
<br />
| related_project_name2 = Google Group for the Browser Security Track<br />
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= '''Attenuated versions of existing apis to sandboxed code'''. <noinclude>How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.</noinclude><br />
<br />
| summit_session_objective_name2 = '''Client side sandboxed apps maintaining state and authentication'''.<noinclude> For example if a user is created in a sandboxed app how is it determined what that user can do?</noinclude><br />
<br />
| summit_session_objective_name3 = '''Create a standard for modifying a sandboxed environment'''<br />
<br />
| summit_session_objective_name4 = '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br />
<br />
| summit_session_objective_name5 = '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br />
<br />
|-<br />
<br />
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA<br />
<br />
|-<br />
<br />
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br><br />
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br />
<br />
===Co-chair Dr Jasvir Nagra===<br />
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br />
<br />
===Co-chair Gareth Heyes===<br />
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = Browser Security Report<br />
<br />
|summit_session_deliverable_name2 = Browser Security Priority List<br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Dr. Jasvir Nagra<br />
| summit_session_leader_email1 = <br />
| summit_session_leader_username1 =<br />
<br />
| summit_session_leader_name2 = Gareth Heyes<br />
| summit_session_leader_email2 = gazheyes@gmail.com<br />
| summit_session_leader_username2 = Gareth Heyes<br />
<br />
| summit_session_leader_name3 =<br />
| summit_session_leader_email3 = <br />
| summit_session_leader_username3 =<br />
<br />
|-<br />
<br />
| operational_leader_name1 = John Wilander<br />
| operational_leader_email1 = john.wilander@owasp.org<br />
<br />
|-<br />
| meeting_notes = <br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session001<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session001 <br />
}}<br />
</includeonly></div>John.wilander