https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Justin42OWASP - User contributions [en]2026-05-02T18:45:49ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=London&diff=205825London2016-01-05T11:59:23Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter board is Sam Stepanyan (sam.stepanyan at owasp.org) and Sherif Mansour Farag. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella'''<br />
*:How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information. <br />
<br />
*'''Topic To be confirmed - Justin Clarke'''<br />
*:Exciting OWASP topic to be confirmed!<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security<br />
<br />
*'''Justin Clarke'''<br />
*:Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
Further 2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=205824London2016-01-05T09:01:50Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter board is Justin Clarke (justin.clarke [at] owasp.org), Sam Stepanyan and Sherif Mansour Farag. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella'''<br />
*:How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information. <br />
<br />
*'''Topic To be confirmed - Justin Clarke'''<br />
*:Exciting OWASP topic to be confirmed!<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security<br />
<br />
*'''Justin Clarke'''<br />
*:Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
Further 2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=User:Neill_Gernon&diff=197371User:Neill Gernon2015-07-12T07:55:52Z<p>Justin42: Blanked the page</p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=London&diff=195881London2015-06-08T11:10:18Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''OSINT SECURITY 2.0 Past, Present and Future - Christian Martorella'''<br />
*:How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security. The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information. <br />
<br />
*'''Topic To be confirmed - Justin Clarke'''<br />
*:Exciting OWASP topic to be confirmed!<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering, OSINT and offensive security<br />
<br />
*'''Justin Clarke'''<br />
*:Director and Co-Founder of Gotham Digital Science Ltd (a subsidiary of Gotham Digital Science LLC, based in New York). Senior security consultant with extensive international Big 4 risk management, security consulting and testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand. Lead author/technical editor of "SQL Injection Attacks and Defenses" - published May 2009 by Syngress, co-author of "Network Security Tools" - published April 2005 by O'Reilly, contributor to "Network Security Assessment, 2nd Edition", as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
Further 2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=195376London2015-05-27T09:10:04Z<p>Justin42: /* Future Events */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
TBD<br />
<br />
====Speakers====<br />
<br />
TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
Further 2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=195375London2015-05-27T09:09:44Z<p>Justin42: /* Past Events */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
TBD<br />
<br />
====Speakers====<br />
<br />
TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=195374London2015-05-27T09:09:20Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, June 11th 2015 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
TBD<br />
<br />
====Speakers====<br />
<br />
TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Christian Martorella, Zigor Zumalde, Colin Watson, Matteo Meucci<br />
<br />
====Talks====<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift ([https://www.owasp.org/index.php/File:Owasplondon-roundup-20141204.pptx presentation])<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=Global_Initiatives/Cyber_Security_Pre-accelerator_Initiative&diff=191506Global Initiatives/Cyber Security Pre-accelerator Initiative2015-03-16T16:51:07Z<p>Justin42: Deleting content at the request of Neill Gernon (content author)</p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=Global_Initiatives/Cyber_Security_Startup_Initiative&diff=191505Global Initiatives/Cyber Security Startup Initiative2015-03-16T16:50:41Z<p>Justin42: Deleting content at the request of Neill Gernon (content author)</p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=London&diff=186219London2014-12-01T11:31:12Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''Offensive OSINT - Christian Martorella and Zigor Zumalde'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government. <br />
*:He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering and offensive security.<br />
<br />
*'''Zigor Zumalde'''<br />
*:Bio to follow<br />
<br />
*'''Colin Watson'''<br />
*:Technical Director, Watson Hall.<br />
<br />
*'''Matteo Meucci'''<br />
*:Matteo has more than 13 years specialising in Application Security and has worked with OWASP since 2002: he founded the OWASP Italy Chapter in 2005 and has lead the OWASP Testing Guide since 2006. Matteo is invited to speak at many events all around the world talking about Web Application Security. <br />
*:Matteo has undergraduate degrees in Computer Science Engineering from the University of Bologna. He is also the CEO and a cofounder of Minded Security since 2007, where he is responsible for strategic direction and business development for the Company. Prior to founding Minded Security, Matteo had several consultancy experiences from BT Global Services, INS, Business-e and CryptoNet.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=185492London2014-11-17T14:20:09Z<p>Justin42: /* Speakers */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''Offensive OSINT - Christian Martorella'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:Abstract to follow<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Bio to follow<br />
<br />
*'''Colin Watson'''<br />
*:Technical Director, Watson Hall.<br />
<br />
*'''Matteo Meucci'''<br />
*:Bio to follow<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=185491London2014-11-17T14:19:44Z<p>Justin42: /* Talks */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''Offensive OSINT - Christian Martorella'''<br />
*:Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks<br />
<br />
*'''Round-up - Colin Watson''' <br />
*:OWASP news and Christmas gift<br />
<br />
*'''OWASP Testing Guide v4 - Matteo Meucci'''<br />
*:Abstract to follow<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Bio to follow<br />
<br />
*'''Colin Watson'''<br />
*:Technical Director, Watson Hall.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=185024London2014-11-10T13:47:18Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Facebook at https://www.facebook.com/OWASPLondon<br />
, Twitter at http://twitter.com/owasplondon and |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 4th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''TBD - Christian Martorella'''<br />
*:Abstract to follow<br />
<br />
*'''TBD - Colin Watson''' <br />
*:Description to follow<br />
<br />
====Speakers====<br />
<br />
*'''Christian Martorella'''<br />
*:Bio to follow<br />
<br />
*'''Colin Watson'''<br />
*:Technical Director, Watson Hall.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
2015 event details to come!<br />
<br />
== Past Events ==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': John Smith, Joe Pelietier, Colin Watson<br />
<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''Anatomy of a Data Breach - Joe Pelletier''' <br />
*: The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.<br />
<br />
*'''OWASP Roundup - Colin Watson''' <br />
*: Information on some recent project releases, conference recordings and AppSec EU 2015. ([[Media:Owasplondon-20140918.pptx|PPT]])<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Hacker Fantastic, Colin Watson<br />
<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=181937London2014-09-08T10:14:56Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''Global Application Security Survey & Benchmarking - John Smith'''<br />
*:This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.<br />
<br />
*'''TBD - TBD''' <br />
*: TBD.<br />
<br />
====Speakers====<br />
<br />
*'''John Smith'''<br />
*:John Smith is the leading security expert in EMEA for application security specialists, Veracode. John has extensive experience advising some of the world’s largest organisations on information security and building tailored strategies to leverage the correct balance of people, process and technology to secure the application layer. John has over ten years’ experience in IT and software security, specialising in web application security, security testing and vulnerability management. Before joining Veracode John worked as a Senior Security Architect at Sanctum and Watchfire, which became IBM’s application security practice after an acquisition in 2007.<br />
<br />
*'''TBD'''<br />
*:TBD.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=181782London2014-09-05T10:26:03Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time''')<br />
<br />
====Talks====<br />
*'''TBD - TBD'''<br />
*: TBD.<br />
<br />
*'''TBD - TBD''' <br />
*: TBD.<br />
<br />
====Speakers====<br />
<br />
*'''TBD'''<br />
*:TBD.<br />
<br />
*'''TBD'''<br />
*:TBD.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=181781London2014-09-05T10:23:48Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start '''on time.)'''<br />
<br />
====Talks====<br />
*'''TBD - TBD'''<br />
*: TBD.<br />
<br />
*'''TBD - TBD''' <br />
*: TBD.<br />
<br />
====Speakers====<br />
<br />
*'''TBD'''<br />
*:TBD.<br />
<br />
*'''TBD'''<br />
*:TBD.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=178694London2014-07-14T11:17:01Z<p>Justin42: /* Future Events */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Time:''' Thursday, 15 May 2014 from 18:30 to 20:30 (BST) (We start '''on time.)'''<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson''' ([https://www.owasp.org/index.php/File:Owasplondon-colinwatson-appsensor-guide-v2.pdf PDF])<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
====Speakers====<br />
<br />
*'''Hacker Fantastic'''<br />
*:Hacker Fantastic is a white hat who enjoys writing software, tinkering with computers and everything security related. He has been extensively researching computer security topics for over 10 years and has a deep interest in offensive security techniques. Hacker Fantastic is extremely passionate about computer security and has researched and developed offensive security tools against major product vendors including Microsoft, Apple, NetBSD, Cisco, Linux, Hewlett Packard, SCO, Silicon Graphics, IBM, SAGEM and NetGear.<br />
<br />
*'''Colin Watson'''<br />
*:Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He was a member of the former OWASP Global Industry Committee, and is currently project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, contributes to Open Software Assurance Maturity Model, CISO Guide and CISO Survey, and wrote the Application Logging Cheat sheet. He holds a BSc in Chemical Engineering from Heriot-Watt University in Edinburgh, and an MSc in Computation from the University of Oxford.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=174531London2014-05-08T10:33:06Z<p>Justin42: /* Talks */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Hacker Fantastic'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson'''<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
====Speakers====<br />
<br />
*'''Hacker Fantastic'''<br />
*:Hacker Fantastic is a white hat who enjoys writing software, tinkering with computers and everything security related. He has been extensively researching computer security topics for over 10 years and has a deep interest in offensive security techniques. Hacker Fantastic is extremely passionate about computer security and has researched and developed offensive security tools against major product vendors including Microsoft, Apple, NetBSD, Cisco, Linux, Hewlett Packard, SCO, Silicon Graphics, IBM, SAGEM and NetGear.<br />
<br />
*'''Colin Watson'''<br />
*:Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He was a member of the former OWASP Global Industry Committee, and is currently project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, contributes to Open Software Assurance Maturity Model, CISO Guide and CISO Survey, and wrote the Application Logging Cheat sheet. He holds a BSc in Chemical Engineering from Heriot-Watt University in Edinburgh, and an MSc in Computation from the University of Oxford.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=174530London2014-05-08T10:32:48Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Heartbleed Teardown - Rick Doten'''<br />
*: An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.<br />
<br />
*'''AppSensor 2.0 - Colin Watson'''<br />
*: The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.<br />
<br />
====Speakers====<br />
<br />
*'''Hacker Fantastic'''<br />
*:Hacker Fantastic is a white hat who enjoys writing software, tinkering with computers and everything security related. He has been extensively researching computer security topics for over 10 years and has a deep interest in offensive security techniques. Hacker Fantastic is extremely passionate about computer security and has researched and developed offensive security tools against major product vendors including Microsoft, Apple, NetBSD, Cisco, Linux, Hewlett Packard, SCO, Silicon Graphics, IBM, SAGEM and NetGear.<br />
<br />
*'''Colin Watson'''<br />
*:Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He was a member of the former OWASP Global Industry Committee, and is currently project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, contributes to Open Software Assurance Maturity Model, CISO Guide and CISO Survey, and wrote the Application Logging Cheat sheet. He holds a BSc in Chemical Engineering from Heriot-Watt University in Edinburgh, and an MSc in Computation from the University of Oxford.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=173725London2014-04-28T21:08:56Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Application Security with Hardware Roots of Trust - Rick Doten'''<br />
*: Hardware-based security is an unfortunately seldom-leveraged solution to protect our enterprises by bringing a root of trust for system, user identity, and encryption of data. By insuring that only authorised users authenticate using cryptological certificates stored in secure hardware chips of PCs, tablets, and phones, we can also provide more granular application control of data to increase privacy. <br />
*: The core of trusted computing already exists in most PC systems today. Many PC’s include a dormant Trusted Platform Module (TPM) that uses a standard from the Trusted Computing Group (TCG). The TPM can be activated to encrypt hard drives on the hardware level, provide controlled network access, and deliver measurements on boot process for unauthorised changes. With an abstraction layer called the Trusted Software Stack (TSS) specification, we can leverage this strong authentication into applications. We can also use this credential for data encryption that can’t be man-in-the-middle attacked like SSL, while giving the opportunity to digitally sign data and documents. Further, we can utilize hardware measurements to provide a level of system trust, which we could use to dynamically alter application access and functionality based on that trust level.<br />
*: This presentation will provide an overview of these current and future application security capabilities, and how developers will soon be able to leverage hardware roots of trust to make more secure applications.<br />
<br />
*'''AppSensor 2.0 - Colin Watson'''<br />
*: Abstract to come.<br />
<br />
====Speakers====<br />
<br />
*'''Rick Doten'''<br />
*:Rick Doten is CISO for Digital Management Inc (DMI). He has over 23 years of experience in the IT industry, the last 16 focused on cyber security Before DMI, Rick was a Risk Management Consultant at Gartner. He was Chief Scientist at the Lockheed Martin Center for Cyber Security Innovation (CCSI). Rick was Managing Principal for Verizon Business’s East Coast Professional Security Services practice. Earlier his career, he was an “Ethical Hacker” at Global Integrity. Rick has been quoted in dozens of security articles such as Dark Reading, SC Magazine, Infosecurity Professional magazine, and Mashable, and has appeared on CNN, TechTV, and the National Insider as a cyber security expert. Rick also holds a Patent for Wireless Intrusion Detection technology. <br />
<br />
*'''Colin Watson'''<br />
*:Bio to come.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou<br />
<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=170352London2014-03-18T16:21:44Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''OWASP WebSpa - Yiannis Pavlosoglou'''<br />
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.<br />
<br />
====Speakers====<br />
<br />
*'''Nikos Vassakis'''<br />
*:Nikos is a security consultant at SECFORCE. He holds a BSc in Computer Science and an MSc in Information Security, and has 2 years of security related working experience. When not working breaking one technology or another, he drinks beer, socialises and when time permits works on research projects. Current research activities focus mainly on post-exploitation network traffic tunnelling techniques and trying to take over the world.<br />
<br />
*'''Rodrigo Marcos'''<br />
*:Rodrigo is a security CREST consultant at SECFORCE, with 10 years of experience in the penetration testing industry. His interests cover a wide range of areas, such as network protocol fuzzing, programming and "high-protein" web hacking - trying to minimise the gap between web application and infrastructure testing to achieve his ultimate goal: World domination, one IP address at a time.<br />
<br />
*'''Yiannis Pavlosoglou'''<br />
*:There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a PhD in information security, designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=169625London2014-03-07T11:19:57Z<p>Justin42: /* Speakers */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''TBD - TBD'''<br />
*: TBD<br />
<br />
====Speakers====<br />
<br />
*'''Nikos Vassakis'''<br />
*:Nikos is a security consultant at SECFORCE. He holds a BSc in Computer Science and an MSc in Information Security, and has 2 years of security related working experience. When not working breaking one technology or another, he drinks beer, socialises and when time permits works on research projects. Current research activities focus mainly on post-exploitation network traffic tunnelling techniques and trying to take over the world.<br />
<br />
*'''Rodrigo Marcos'''<br />
*:Rodrigo is a security CREST consultant at SECFORCE, with 10 years of experience in the penetration testing industry. His interests cover a wide range of areas, such as network protocol fuzzing, programming and "high-protein" web hacking - trying to minimise the gap between web application and infrastructure testing to achieve his ultimate goal: World domination, one IP address at a time.<br />
<br />
*'''TBD'''<br />
*:TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=169624London2014-03-07T11:19:38Z<p>Justin42: /* Talks */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''TBD - TBD'''<br />
*: TBD<br />
<br />
====Speakers====<br />
<br />
*'''Nikos Vassakis'''<br />
*:Nikos is a security consultant at SECFORCE. He holds a BSc in Computer Science and an MSc in Information Security, and has 2 years of security related working experience.<br />
When not working breaking one technology or another, he drinks beer, socialises and when time permits works on research projects. Current research activities focus mainly on post-exploitation network traffic tunnelling techniques and trying to take over the world.<br />
<br />
*'''Rodrigo Marcos'''<br />
*:Rodrigo is a security CREST consultant at SECFORCE, with 10 years of experience in the penetration testing industry.<br />
His interests cover a wide range of areas, such as network protocol fuzzing, programming and "high-protein" web hacking - trying to minimise the gap between web application and infrastructure testing to achieve his ultimate goal: World domination, one IP address at a time.<br />
<br />
*'''TBD'''<br />
*:TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=169623London2014-03-07T11:19:12Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''<br />
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues.<br />
Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP).<br />
This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.<br />
<br />
*'''TBD - TBD'''<br />
*: TBD<br />
<br />
====Speakers====<br />
<br />
*'''Nikos Vassakis'''<br />
*:Nikos is a security consultant at SECFORCE. He holds a BSc in Computer Science and an MSc in Information Security, and has 2 years of security related working experience.<br />
When not working breaking one technology or another, he drinks beer, socialises and when time permits works on research projects. Current research activities focus mainly on post-exploitation network traffic tunnelling techniques and trying to take over the world.<br />
<br />
*'''Rodrigo Marcos'''<br />
*:Rodrigo is a security CREST consultant at SECFORCE, with 10 years of experience in the penetration testing industry.<br />
His interests cover a wide range of areas, such as network protocol fuzzing, programming and "high-protein" web hacking - trying to minimise the gap between web application and infrastructure testing to achieve his ultimate goal: World domination, one IP address at a time.<br />
<br />
*'''TBD'''<br />
*:TBD<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom<br />
<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=165692London2014-01-10T15:02:28Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''<br />
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.<br />
<br />
====Speakers====<br />
<br />
*'''Justin Clarke'''<br />
*:Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has many years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009, 2012), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
<br />
*'''Marco Morana'''<br />
*:In his current position, Marco runs the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. He is also technical advisory for security technology start up and contributor of EU projects for cyber security. During his 15+ years of distinguished career in security, he specialised in application and software security consulting services for major Fortune 500 companies and contributed to the secure design of business critical applications and security tools. Among the notable contributions in application security, include the development of first secure email with S-MIME (1996) and the first Intrusion Detection System (IDS) tool (1998). Marco current interests are in the research of cyber threat analysis and attack modelling processes and processes to better manage the risk of emerging cyber threats. Marco academic credentials include a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padova, Italy. Marco is also a Certified Software Security Lifecycle Professional (CSSLP).<br />
<br />
*'''Tobias Gondrom'''<br />
*:Tobias Gondrom is a global board member of OWASP, the project lead of the OWASP CISO Survey and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, Germany and United Kingdom.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=165540London2014-01-07T16:14:43Z<p>Justin42: /* Past Events */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''TBD'''<br />
<br />
====Speakers====<br />
<br />
*'''Justin Clarke'''<br />
*:Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has many years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009, 2012), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
<br />
*'''TBD'''<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=165539London2014-01-07T16:01:07Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
====Talks====<br />
*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''<br />
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).<br />
<br />
*'''TBD'''<br />
<br />
====Speakers====<br />
<br />
*'''Justin Clarke'''<br />
*:Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has many years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009, 2012), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
<br />
*'''TBD'''<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Ofer Maor and Colin Watson<br />
<br />
====Talks====<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=164126London2013-12-02T15:33:47Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
====Talks====<br />
*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''<br />
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
====Speakers====<br />
<br />
*'''Ofer Maor'''<br />
*:Ofer Maor has over 18 years of experience in information and application security and penetration testing. In his current role as Founder and CTO of Quotium, Mr. Maor is leading Seeker® - the new generation of application security, allowing organisations to effectively protect their business and data from application threats. He was previously the Founder and CTO of Hacktics™, where he helped create a world-class leading professional security services group, later acquired by EY to become a global excellence centre, and has also served as the Chairman of OWASP Israel and a member of the OWASP Global Membership Committee.<br />
<br />
*'''Colin Watson'''<br />
*:Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, wrote the Application Logging Cheat sheet. He is currently writing the new AppSensor Guide which is due for publication in early 2014.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163990London2013-11-29T11:01:22Z<p>Justin42: /* RSVP */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
====Talks====<br />
*'''TBD - TBD'''<br />
*:Description coming<br />
<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.<br />
<br />
====Speakers====<br />
<br />
*'''TBD'''<br />
*:Bio coming<br />
<br />
*'''Colin Watson'''<br />
*:Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, wrote the Application Logging Cheat sheet. He is currently writing the new AppSensor Guide which is due for publication in early 2014.<br />
<br />
====RSVP====<br />
<br />
RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163826London2013-11-25T13:02:36Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
====Talks====<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Description coming<br />
<br />
*'''TBD - TBD'''<br />
*:Description coming<br />
<br />
====Speakers====<br />
<br />
*'''Colin Watson'''<br />
*:Bio coming<br />
<br />
*'''TBD'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
<br />
RSVP is not yet open, however watch this space. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163825London2013-11-25T13:02:27Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
====Talks====<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Description coming<br />
<br />
*'''TBD - TBD'''<br />
*:Description coming<br />
<br />
====Speakers====<br />
<br />
*'''Colin Watson'''<br />
*:Bio coming<br />
<br />
*'''TBD'''<br />
*:Bio coming<br />
<br />
<br />
====RSVP====<br />
<br />
RSVP is not yet open, however watch this space. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163824London2013-11-25T13:01:43Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
====Talks====<br />
*'''OWASP Cornucopia - Colin Watson'''<br />
*:Description coming<br />
<br />
*'''TBD - TBD'''<br />
*:Description coming<br />
<br />
====Speakers====<br />
<br />
*'''Colin Watson'''<br />
*:Bio coming<br />
<br />
*'''TBD'''<br />
*:Bio coming<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163823London2013-11-25T12:57:53Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, December 12th 2013 (Central London)===<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
== Future Events ==<br />
<br />
We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:<br />
<br />
===Thursday, January 16th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, March 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, May 15th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, July 17th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, September 18th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
===Thursday, November 20th 2014 (Central London)===<br />
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST<br />
<br />
== Past Events ==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Speakers''': Dinis Cruz and Justin Clarke<br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=163822London2013-11-25T12:47:47Z<p>Justin42: /* Meeting Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=File:Skype_logo_solid.jpg&diff=163821File:Skype logo solid.jpg2013-11-25T12:46:26Z<p>Justin42: </p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161333London2013-10-23T14:54:12Z<p>Justin42: /* Meeting Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161294London2013-10-22T14:54:15Z<p>Justin42: /* Meeting Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br /><br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
Note - this is not a complete list, so if you've hosted a meeting for us in the past (and you've cleared it with your corporate branding folks) please let [mailto:justin.clarke@owasp.org Justin] know so he can get your logo up here as well.<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161293London2013-10-22T14:48:40Z<p>Justin42: /* Chapter Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br /><br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161292London2013-10-22T14:31:51Z<p>Justin42: /* Thursday, October 24th 2013 (Central London) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161291London2013-10-22T14:31:10Z<p>Justin42: /* Chapter Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png}}<br />
<br />
==Meeting Sponsors==<br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=File:NetSparker_Logo_ResizedLondon.png&diff=161290File:NetSparker Logo ResizedLondon.png2013-10-22T14:30:34Z<p>Justin42: </p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161289London2013-10-22T14:29:03Z<p>Justin42: /* Meeting Sponsors */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Meeting Sponsors==<br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=File:Hicon_hotels-128-TM-R.PNG&diff=161288File:Hicon hotels-128-TM-R.PNG2013-10-22T14:28:29Z<p>Justin42: </p>
<hr />
<div></div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161287London2013-10-22T14:26:44Z<p>Justin42: </p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Meeting Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161177London2013-10-21T08:43:19Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
====RSVP====<br />
Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161176London2013-10-21T08:42:18Z<p>Justin42: /* Future Events */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
'''RSVP''': Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013/2014 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=161175London2013-10-21T08:41:15Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
====Talks==== <br />
<br />
*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''<br />
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.<br />
<br />
*'''OWASP Mobile Top 10 - Justin Clarke'''<br />
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.<br />
<br />
====Speakers====<br />
*'''Dinis Cruz'''<br />
*:Bio coming<br />
<br />
*'''Justin Clarke'''<br />
*:Bio coming<br />
<br />
'''RSVP''': Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=160672London2013-10-14T13:09:18Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013 (Central London)===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Talks''' <br />
Talks list coming<br />
<br />
'''Speakers'''<br />
Speakers listing coming<br />
<br />
'''RSVP''': Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=160671London2013-10-14T13:09:05Z<p>Justin42: /* Next Meeting/Event(s) */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th 2013===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Talks''' <br />
Talks list coming<br />
<br />
'''Speakers'''<br />
Speakers listing coming<br />
<br />
'''RSVP''': Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42https://wiki.owasp.org/index.php?title=London&diff=160670London2013-10-14T13:08:50Z<p>Justin42: /* Thursday, October 24th */</p>
<hr />
<div>{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}<br />
==Chapter Sponsors==<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}<br />
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}<br />
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_Resized7-3-13.png}}<br />
<br />
==Next Meeting/Event(s)==<br />
<br />
===Thursday, October 24th===<br />
'''Location''': Expedia Inc, Angel Building, 407 St John Street, London, EC1V 4EX<br />
<br />
'''Talks''' <br />
Talks list coming<br />
<br />
'''Speakers'''<br />
Speakers listing coming<br />
<br />
'''RSVP''': Please RSVP at [http://owasp-london.eventbrite.co.uk EventBrite] for the event. RSVP will close the end of the day before the event.<br />
<br />
== Future Events ==<br />
<br />
Watch this space for 2013 dates!<br />
<br />
== Past Events ==<br />
<br />
===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===<br />
<br />
'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY<br />
<br />
For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.<br />
<br />
===Thursday, November 8th 2012 (Central London)===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Petko Petkov and Marco Morana<br />
<br />
*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov''' <br />
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.<br />
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.<br />
<br />
*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])<br />
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.<br />
<br />
=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===<br />
<br />
'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB<br />
<br />
'''Time''': 10:00am - 4:30pm<br />
<br />
ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!<br />
<br />
=== Thursday, March 29th 2012 (Central London) ===<br />
<br />
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA<br />
<br />
'''Speakers''': Jim Manico and Manish Saindane<br />
<br />
*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])<br />
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.<br />
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])<br />
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.<br />
<br />
=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Viet Pham and Tobias Gondrom<br />
<br />
*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])<br />
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.<br />
<br />
*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])<br />
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."<br />
<br />
=== Thursday, February 2nd 2012 ,18:30-21:00 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves<br />
<br />
*''Security as Pollution (lessons learned)'' - Dinis Cruz<br />
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010<br />
<br />
*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz<br />
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011<br />
<br />
*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves<br />
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.<br />
<br />
*''What's Happening on OWASP Today'' - Sarah Baso<br />
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment<br />
<br />
=== Thursday, September 8th 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX<br />
<br />
'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])<br />
<br />
'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an<br />
ineffective industry.<br />
<br />
=== Friday, June 3rd 2011 ===<br />
<br />
'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
=== Thursday, April 14th 2011 ===<br />
<br />
'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH<br />
<br />
*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])<br />
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.<br />
<br />
*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''<br />
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future<br />
<br />
=== Thursday, February 17th 2011 ===<br />
<br />
'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA<br />
<br />
A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.<br />
<br />
== Archived Events ==<br />
<br />
For events before 2011, see [[Archived OWASP London Events]]<br />
<br />
== Other Activities ==<br />
<br />
*'''February 2010 - Personal Information Online COP'''<br />
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.<br />
<br />
*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''<br />
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.<br />
<br />
*'''16th October 2008 - COI Browser Standards for Public Websites'''<br />
<br />
The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).<br />
<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Justin42